Snort mailing list archives
Re: syn flood detection?
From: "Vinay A. Mahadik" <VAMahadik () lbl gov>
Date: Mon, 29 Jul 2002 17:17:16 -0700
Daniel Lopez wrote:
Hello, I am using SNORT 1.8.7 and I was performing some tests. I noticed that it was not able to detect SYN floods! I could read in previous posts that currently, this was not possible.
It wouldn't be easy to set a 'flood' threshold for SYN packets even for one's own network (think mail server on Monday morning)..
Thus, I wanted to know if this will be possible in future versions? Then, it is possible to detect SYN floods with the use of SPADE?
Spade only helps in detecting packets going to rare/anomalous ports, not all/any ports. So a flood of packets to a port that's anyway a popular port from Spade's standards (think www) isnt going to trigger an alert. I think SYN flood detection falls into anomaly detection.. requiring (perhaps impossible) incoming traffic modeling.. -- Vinay A. Mahadik Summer Intern Computer Protection Program Lawrence Berkeley National Laboratory (510) 495 2618 ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- syn flood detection? Daniel Lopez (Jul 29)
- Re: syn flood detection? Vinay A. Mahadik (Jul 29)