Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort and Synflood alerts

From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 15 Jan 2002 22:59:02 -0500
Hi Scott!

Well, since a SYN is a SYN is a SYN, there's really no way of saying
that one SYN packet is part of a SYN flood attack and one isn't.  There
_are_ special characteristics you'll see _occasionally_ with poorly
written SYN flood DoS and DDoS software such as a static IP
identification number, a static source port, a static TCP sequence
number, or even data on the SYN (which is discussed in a different
capacity in another thread on the list right now); I've seen all of
these in the wild.  Snort has all the rules you need to detect the
control channels for the zombie processes which generate the DoS
packets, but Snort really can't tell you if you're experiencing a SYN
flood.

It seems that the portscan preprocessor could be pretty easily modified
to allow it to detect X number of SYN packets, instead of packets to X
number of ports, in a specified amount of time.  Kind of sort of a SYN
flood packet rate detector type thingy.  I might just have to add this
too the list of projects I'll never get time to complete... <sigh>

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell () home com



-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Scott Teeters Jr
Sent: Tuesday, January 15, 2002 11:56 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and Synflood alerts


I am working on implementing Snort as our defacto IDS. One of 
the items my 
manager wants to see is our synflood activity. Synfloods have 
been a pain 
in our side in the past and we want to be able to break out 
the synflood 
activity as a separate item in our reporting. I need to know 
if anyone has 
seen a Snort signature that specifically targets synfloods? 
Thanks, Scott Teeters, Jr.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: