Snort mailing list archives
Re: Dos bufer overflow snort rule
From: wkitty42 () windstream net
Date: Sun, 11 Jun 2017 06:20:55 -0400
On 06/10/2017 12:47 PM, moon sun via Snort-users wrote:
Hello, Is this snort rule correct for detecting dos bufer overflow attack ? :
do you mean DOS as in "Disk Operating System" or DoS as in "Denial of Service"??? what buffer are you thinking of??
alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 70, seconds 10; sid:10001;rev:1;)
this rule detects "Denial of Service" by counting the number of SYNs and seeing if they are 70 or more in a 10 second period... it is easily evaded by throttling the connections to less than 70 within 10 seconds... the above rule is also only detecting connections on port 80 but a true DoS ("Denial of Service") can be on any port...
And what is the tcp header features that included in Dos attack ? such as service type : http , port: 80 and the count , and what else ?
i think the range of the above rule is already too limited for what you appear to think you are trying to detect...
-- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Dos bufer overflow snort rule moon sun via Snort-users (Jun 10)
- Re: Dos bufer overflow snort rule wkitty42 (Jun 11)