Snort mailing list archives
detection of smurf attack
From: sofia insat <sofia.insat () yahoo fr>
Date: Mon, 30 Nov 2009 23:38:55 +0000 (GMT)
Hi,
I have to detect smurf attaque with ICMPv6 paquet
I have used detection_filter and threshold like this:
lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF
-----------"; detection_filter: track by_src, count 30, seconds 1;
sid:1000009;)
alert icmp any any -> any any
(msg:"---------- DOS IPV6: SMURF -----------"; threshold: type limit,
track by_src, count 30, seconds 1; sid:10000010;)
but in alert file I obtain all the alerts
The script of smurf attack that I have used generates about17000 echo request paquets per second and I want to have
only one alert
Thanks
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- detection of smurf attack sofia insat (Nov 30)
- Re: detection of smurf attack Rodrigo Montoro(Sp0oKeR) (Nov 30)
- Re: detection of smurf attack sofia insat (Dec 01)
- Re: detection of smurf attack Joel Esler (Dec 01)
- Re: detection of smurf attack Nigel Houghton (Dec 01)
- Message not available
- Re: Re : detection of smurf attack Nigel Houghton (Dec 01)
- Re: detection of smurf attack sofia insat (Dec 01)
- Re: detection of smurf attack Rodrigo Montoro(Sp0oKeR) (Nov 30)