Snort mailing list archives
Re: detection of smurf attack
From: sofia insat <sofia.insat () yahoo fr>
Date: Tue, 1 Dec 2009 08:57:51 +0000 (GMT)
I want to alert this attack when I detect the first 20 ICMP packets per second how can I do it? --- En date de : Mar 1.12.09, Rodrigo Montoro(Sp0oKeR) <spooker () gmail com> a écrit : De: Rodrigo Montoro(Sp0oKeR) <spooker () gmail com> Objet: Re: [Snort-sigs] detection of smurf attack À: "sofia insat" <sofia.insat () yahoo fr> Cc: snort-sigs () lists sourceforge net Date: Mardi 1 Décembre 2009, 1h39 "Since potentially many events will be generated, a detection filter would normally be used in conjunction with an event filter to reduce the number of logged events." Read README.filter at doc directory in tarball . BTW your rule will trigger any icmp packet (ipv4/ipv6) . Read README.ipv6 too =) Regards, On Mon, Nov 30, 2009 at 9:38 PM, sofia insat <sofia.insat () yahoo fr> wrote:
Hi, I have to detect smurf attaque with ICMPv6 paquet I have used detection_filter and threshold like this: lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF -----------"; detection_filter: track by_src, count 30, seconds 1; sid:1000009;) alert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF -----------"; threshold: type limit, track by_src, count 30, seconds 1; sid:10000010;) but in alert file I obtain all the alerts The script of smurf attack that I have used generates about17000 echo request paquets per second and I want to have only one alert Thanks ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- detection of smurf attack sofia insat (Nov 30)
- Re: detection of smurf attack Rodrigo Montoro(Sp0oKeR) (Nov 30)
- Re: detection of smurf attack sofia insat (Dec 01)
- Re: detection of smurf attack Joel Esler (Dec 01)
- Re: detection of smurf attack Nigel Houghton (Dec 01)
- Message not available
- Re: Re : detection of smurf attack Nigel Houghton (Dec 01)
- Re: detection of smurf attack sofia insat (Dec 01)
- Re: detection of smurf attack Rodrigo Montoro(Sp0oKeR) (Nov 30)