Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcp syn flood attack

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 14 Jun 2010 16:15:30 -0400
That rule won't exactly catch a syn flood.  Assuming the rule fires the way
you want without the detection_filter, it will, with the detection_filter,
fire when more than 10 such *packets* are received in 60 seconds.

If you truly want a syn flood detection, you need a rate_filter something
like this:

rate_filter \
    gen_id 135, sig_id 1, \
    track by_dst, \
    count 10, seconds 60, \
    new_action drop, timeout <T>, \
    apply_to 10.1.1.100

where <T> is the duration you want to drop before allowing the traffic
through again.

That will catch an excessive rate of syns.

Note that this rate filter applies to the destination IP.  You can also
write a separate rule and then rate filter that rule.

Russ

On Mon, Jun 14, 2010 at 3:48 PM, Luis Daniel Lucio Quiroz <
luis.daniel.lucio () gmail com> wrote:


Ok, after reading ineed to drop a highg  tcp syn flood, to my squid

is this rule  fine or shall do other tunning


drop tcp any any > 10.1.1.100 3128 ( \
   msg:”Squid sync flood”;
   flow:established,to_server; \
   detection_filter: track by_src, count 10, seconds 60; \
   sid:1000001; rev:1;)

Reegards,

LD

Le lundi 14 juin 2010 11:58:54, Russ Combs a écrit :

That is documented in the Snort manual and in README.filters in the
tarball.

On Mon, Jun 14, 2010 at 12:43 PM, Luis Daniel Lucio Quiroz <

luis.daniel.lucio () gmail com> wrote:

in 2.8 how is this rule?

Le lundi 14 juin 2010 10:51:44, Russ Combs a écrit :

Snort 2.4 is out of date.  The latest Snort includes a rate-based
attack detection capability that addresses syn floods.  Have you

tried


downloading


the tarball from snort.org and building an inline version?

Russ

On Sun, Jun 13, 2010 at 6:42 PM, black_angel black_angel <

black.sad.angel () gmail com> wrote:

Hello everybody
my snort inline 2.4 can't detect a syn flood attack using hping3 if
someone can help me please to write a rule to avoid this attack
tnx




-------------------------------------------------------------------------



----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------------------------

----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: