DOS rules for Nimda

["Richard Ellerbrock" <richarde () eskom co za>]

I am trying to help a very large site that is being killed by denial of
service due to a large number of MS type workstations infected by Nimda.
The standard snort rules are no good as no connection is actually made,
just a HUGE SYN flood looking for open Web servers to infect. Traffic
looks like this:

Each host sends 2x SYN packets exactly the same (same source port, SEQ
and WIN size) to a remote host on port 80. Obviously never gets a reply.
Within a couple of milliseconds, tries another randon destination.

Now my understanding of snort points to the stream4 processor to catch
this stuff, but how to configure. The docs are a little unclear to this
snort newbie. I do get TTL evasion on stream4, but this does not
indicate much.

Any help with rules/setup for this would be great.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users