spp_flood (the importance of port connection?)

[Cearns Angela <acearns () yahoo com>]

Hello:

I'm developing a generic flood detection preprocessor
for snort.
I've a few design questions.

Currently, I'm able to detect generic ping flood
attack generated by simple commands such as
ping -f 

The icmp flood alert is based on the fact that icmp
doesn't have port numbers associated with it.
So, a simple count of the number of incoming icmp
packets (X) received at a target over the specified
time (Y) is used to raise an alert. 

For generic UDP and TCP flood detection:
Option 1:
-----------
Should I differentiate the attack based on a
particular port number? ie, should I also track the
number of packets received at each port in order to
raise an alert? (X packets received at Z port over Y
time)

or

Option 2:
-----------
Do I only need to consider the total number of
incoming packets from a specific source (regardless of
which port the packets are target at)? (X packets over
Y time)

What are your suggestions?

Thanks,
Ang

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users