Snort mailing list archives
Just one rule
From: "Marcin Krawiec" <cravietz () fdcservers net>
Date: Tue, 2 Dec 2003 00:54:35 -0600
Hi, I have 100 mbps line which is behind a firewall that also runs snort+snortsam. Currently snort catches lots of abusive types of traffic i.e. network scans, some sort of remote exploit attemps etc. But sometimes that network is experiencing one of these DDoS attacks aimed at one IP inside my network and usually it's being hit so hard that it takes whole network down. Snort sometimes detects such attacks as "Bad traffic", other times as something else. So I was wondering if there is any universal script/rule for snort that detects when only one IP is under constant attack and then alerts Snortsam which later triggers the firewall to block this particular IP inside my network that is being attacked. I'd appreciate any help. Marcin
Current thread:
- Just one rule Marcin Krawiec (Dec 01)