Re: Dos bufer overflow snort rule

[wkitty42 () windstream net]

On 06/10/2017 12:47 PM, ‫moon sun‬ ‫ via Snort-users wrote:
> Hello,
> Is this snort rule correct for detecting dos bufer overflow attack ? :


do you mean DOS as in "Disk Operating System" or DoS as in "Denial of 
Service"??? what buffer are you thinking of??


> alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, 
> track by_src, count 70, seconds 10; sid:10001;rev:1;)


this rule detects "Denial of Service" by counting the number of SYNs and seeing 
if they are 70 or more in a 10 second period... it is easily evaded by 
throttling the connections to less than 70 within 10 seconds... the above rule 
is also only detecting connections on port 80 but a true DoS ("Denial of 
Service") can be on any port...


> And what is the tcp header features that included in Dos attack ? such as  service type : http , port: 80  and the 
> count , and what else ?


i think the range of the above rule is already too limited for what you appear 
to think you are trying to detect...



--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!