Snort detecting distributed syn floods

["Brian T" <briant4592 () hotmail com>]

Hello List,

Over the past several months I have been experiencing intermittent DDoS 
attempts.  The traffic is a distributed syn flood that usually goes after 
known backdoored ports and targets 40k+ IPs.  We are using snort and have a 
tap in front of the firewall.  I would like to set up a detection mechanism 
for this type of attack but since the target ports keep changing I'm not 
sure Snort has the capability of performing this type of detection  (sounds 
like I may need something be anomaly based).  I want to detect a distributed 
syn flood/scan without having the related IDS rule(s) tied to any specific 
ports.  The motive is to be proactive instead of adding a rule after an 
attack has occurred.  I'm relatively new to snort and was hoping to get some 
feedback from anyone who has used snort to detect this type of attack.

Thanks,
Brian T

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------