SynFlood / Total Connection Count with Snort

["Andy Simpson" <Andy.Simpson () datgroup com>]

Hi,
 
Two Quick questions:
 
1) Does anyone know if Syn Flood detection (whether native or through
the use of a preprocessor) is working in Snort 2.1.0? If there is a
preprocessor or rule to define this would someone be able to let me know
what this is? The threshold I would say for triggering a syn-flood alert
would be 200 syn-packets from a source within 1 minute.
 
2) Is there any way of detecting whether any source ip addresses have
above a certain number of established connections to a certain
destination ip? For example, I would like to generate an alert if a
source ip has 50 active connections to 123.123.123.123 on tcp port 80.
 
 
If anyone has a solution to these it would be great.
 
 
 
Kind Regards
 
 
Andy Simpson
 
_______________________________________

Andy Simpson

Senior Consultant

DAT Group

DDI:    +44 1580 831 642

Mobile: +44 7977 256 342

Email:   andy.simpson () datgroup com