Writing snort rules for dos detection in tcpdump files

[Aneela Safdar <ansaf_130 () yahoo com>]

I have got some tcpdump files from KDD-99 dataset and I am trying to find out Neptune attacks recorded in them. I am 
writing rules in standard form, for instance:
alert tcp any any -> any 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; classtype: attempted-dos; threshold: 
type threshold, track by_src, count 20, seconds 6; sid:1000001;rev:1;)

According to this very rule, I should be alerted only after 6 seconds if more than 20 rules are found, but it generates 
alert for all packets having SYN enabled. Can anybody help me here? Regards, Aneela Safdar

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!