Snort mailing list archives
RE: Snort and Synflood alerts
From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 15 Jan 2002 22:59:02 -0500
Hi Scott! Well, since a SYN is a SYN is a SYN, there's really no way of saying that one SYN packet is part of a SYN flood attack and one isn't. There _are_ special characteristics you'll see _occasionally_ with poorly written SYN flood DoS and DDoS software such as a static IP identification number, a static source port, a static TCP sequence number, or even data on the SYN (which is discussed in a different capacity in another thread on the list right now); I've seen all of these in the wild. Snort has all the rules you need to detect the control channels for the zombie processes which generate the DoS packets, but Snort really can't tell you if you're experiencing a SYN flood. It seems that the portscan preprocessor could be pretty easily modified to allow it to detect X number of SYN packets, instead of packets to X number of ports, in a specified amount of time. Kind of sort of a SYN flood packet rate detector type thingy. I might just have to add this too the list of projects I'll never get time to complete... <sigh> Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Scott Teeters Jr Sent: Tuesday, January 15, 2002 11:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and Synflood alerts I am working on implementing Snort as our defacto IDS. One of the items my manager wants to see is our synflood activity. Synfloods have been a pain in our side in the past and we want to be able to break out the synflood activity as a separate item in our reporting. I need to know if anyone has seen a Snort signature that specifically targets synfloods? Thanks, Scott Teeters, Jr. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Synflood alerts Scott Teeters Jr (Jan 15)
- RE: Snort and Synflood alerts Abe L. Getchell (Jan 15)