Snort mailing list archives
Re: spoof detection?
From: Martin Forest <martin () heimdalls co nz>
Date: Wed, 14 Nov 2001 15:04:20 +1300
* All machines on the Net receiving these packets that don't have port 21 open, respond to my web server with a RST, thinking my web server is the source of the packets. * So now my web server is receiving tons of RSTs from different hosts on the Net, where enough of them could cause a denial of service. Is there a way to setup Snort to look for a high threshold of RSTs so I can tell when someone might be spoofing my address and trying to cause a denial of service on my site?
I might have miss understood your question. But why would you do something like that with an IDS system. That is normally a task for a firewall, not an IDS system. IPTables is the perfect task for this. It uses state full inspection and you can configure logging in many ways for different events, with ease configure anti spoofing... I.e. log (alert) / block if I receive mroe than x nr ob events during n seconds... (If ISP's around the world know what they were doing and configured anti spoofing on all gateways, we would have a much smaller problem with spoofing... I use to work for an ISP in New Zealand and save several GIG of data every day when filtered spoofing.) /Martin Forest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spoof detection? Sheahan, Paul (PCLN-NW) (Nov 13)
- Re: spoof detection? Chris Green (Nov 13)
- Re: spoof detection? Martin Forest (Nov 13)