Snort mailing list archives
Re: Syn-Flood
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 12 Nov 2003 12:52:28 -0500
At 10:47 AM 11/12/2003, Frank Barton wrote:
I've been looking for a rule that would detect a syn-flood. and the only way I can think of doing this would be with N "activate" rules (Where N is the number of SYN packets thatarive in a specified time), and I think there's got to be a better way.after reading the rules for dos-attacks, all I saw was that each tool that is detected, isdetected by some content string, not specifically by a volume.the documentation pdf doesn't have anything in it about a "count" option, or any other waythat I can think of to count packets. if anybody has any ideas, I'd be most thankful.
This would really need to be done in the code itself with some kind of variant of spp_portscan. (the classic spp_portscan is implemented as an event counter, which is exactly what you'd need)
Code-wise it would be fairly trivial to modify spp_portscan's basic logic to be a synflood detector instead of a portscan detector.. but AFAIK nobody's done it before.
If you dig in the archives, you'll find this exact topic has been discussed before..
http://www.mcabee.org/lists/snort-users/May-02/msg00237.html ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Syn-Flood Frank Barton (Nov 12)
- Re: Syn-Flood Matt Kettler (Nov 12)