Snort mailing list archives
Custom syn flood rule
From: webcatalog () mac com
Date: Fri, 21 Feb 2003 01:29:52 -0600
I have a massive syn_flood attack coming at me and I need a rule that detects it. my current copy of snort does not. Here is what tcpdump is seeing.
01:06:29.038697 205.188.209.76.36723 > xxx.xxx.xxx.xxx.80: S 957153913:957153913(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF) 01:06:29.039022 81.20.143.65.1465 > xxx.xxx.xxx.xxx.80: S 1212088320:1212088320(0) win 16384 01:06:29.039226 81.14.148.97.1720 > xxx.xxx.xxx.xxx.80: S 243138560:243138560(0) win 16384 01:06:29.039276 81.14.148.98.1674 > xxx.xxx.xxx.xxx.80: S 432668672:432668672(0) win 16384 01:06:29.039289 81.14.148.99.1213 > xxx.xxx.xxx.xxx.80: S 1246887936:1246887936(0) win 16384
The first one is a valid syn packet the others are not. the only thing I can see special is that the fake syn packets don't contain any of the following
"<mss 1460,nop,nop,sackOK,nop,wscale 0> (DF)"In fact they don't have a "message string size at all" How can I detect that?
Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.com Providing Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400. All your websites are belong to us! ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- icmp-info.rules Petreski, Samuel (Feb 20)
- Re: icmp-info.rules Erek Adams (Feb 20)
- Re: icmp-info.rules James-lists (Feb 20)
- Custom syn flood rule webcatalog (Feb 20)
- <Possible follow-ups>
- Re: icmp-info.rules pro0digy (Feb 21)