Custom syn flood rule

[webcatalog () mac com]

I have a massive syn_flood attack coming at me and I need a rule that 
detects it. my current copy of snort does not. Here is what tcpdump is 
seeing.

01:06:29.038697 205.188.209.76.36723 > xxx.xxx.xxx.xxx.80: S 
957153913:957153913(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0> 
(DF)
01:06:29.039022 81.20.143.65.1465 > xxx.xxx.xxx.xxx.80: S 
1212088320:1212088320(0) win 16384
01:06:29.039226 81.14.148.97.1720 > xxx.xxx.xxx.xxx.80: S 
243138560:243138560(0) win 16384
01:06:29.039276 81.14.148.98.1674 > xxx.xxx.xxx.xxx.80: S 
432668672:432668672(0) win 16384
01:06:29.039289 81.14.148.99.1213 > xxx.xxx.xxx.xxx.80: S 
1246887936:1246887936(0) win 16384


The first one is a valid syn packet the others are not. the only thing 
I can see special is  that the fake syn packets don't contain any of 
the following
"<mss 1460,nop,nop,sackOK,nop,wscale 0> (DF)"

In fact they don't have a "message string size at all" How can I detect 
that?

Robert Minor
Director of Internet Services
------------------------------------------------------------
Cybermill Communications
http://www.cybermill.com        http://www.merchantmaker.com

Providing Ecommerce and interactive website development and
hosting services on Macintosh, Windows NT, Unix, and AS/400.

All your websites are belong to us!



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users