SYN Flood preprocessor?

["Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>]

I'd like to be able to detect SYN Flood attempts but don't see a way that
Snort can detect this. Does anyone know of a way? Will the portscan
preprocessor pick these up with there are half-connections initiated to the
same port over and over (i.e to port 80)?

It seems like it wouldn't be that difficult to edit the portscan
preprocessor and make a SYN Flood preprocessor. Has anyone ever looked at
this?

Thanks,
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users