Snort mailing list archives
spp_flood (the importance of port connection?)
From: Cearns Angela <acearns () yahoo com>
Date: Thu, 8 Aug 2002 04:38:52 -0700 (PDT)
Hello: I'm developing a generic flood detection preprocessor for snort. I've a few design questions. Currently, I'm able to detect generic ping flood attack generated by simple commands such as ping -f The icmp flood alert is based on the fact that icmp doesn't have port numbers associated with it. So, a simple count of the number of incoming icmp packets (X) received at a target over the specified time (Y) is used to raise an alert. For generic UDP and TCP flood detection: Option 1: ----------- Should I differentiate the attack based on a particular port number? ie, should I also track the number of packets received at each port in order to raise an alert? (X packets received at Z port over Y time) or Option 2: ----------- Do I only need to consider the total number of incoming packets from a specific source (regardless of which port the packets are target at)? (X packets over Y time) What are your suggestions? Thanks, Ang __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort-flood detection preprocessor Grudge Mason (Aug 05)
- Re: Re: [Snort-users] snort-flood detection preprocessor Chris Green (Aug 06)
- spp_flood (the importance of port connection?) Cearns Angela (Aug 08)
- Message not available
- Message not available
- Paranoid port-scan detection. [Re: spp_flood (the importance of port connection?)] Vinay A. Mahadik (Aug 08)
- Re: Paranoid port-scan detection. [Re: spp_flood (the importance of port connection?)] Chris Green (Aug 09)
- Re: [Snort-devel] Re: Paranoid port-scan detection. Vinay A. Mahadik (Aug 09)
- spp_flood (the importance of port connection?) Cearns Angela (Aug 08)
- Re: Re: [Snort-users] snort-flood detection preprocessor Chris Green (Aug 06)