Snort mailing list archives
Re: tcp syn flood attack
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 14 Jun 2010 16:15:30 -0400
That rule won't exactly catch a syn flood. Assuming the rule fires the way you want without the detection_filter, it will, with the detection_filter, fire when more than 10 such *packets* are received in 60 seconds. If you truly want a syn flood detection, you need a rate_filter something like this: rate_filter \ gen_id 135, sig_id 1, \ track by_dst, \ count 10, seconds 60, \ new_action drop, timeout <T>, \ apply_to 10.1.1.100 where <T> is the duration you want to drop before allowing the traffic through again. That will catch an excessive rate of syns. Note that this rate filter applies to the destination IP. You can also write a separate rule and then rate filter that rule. Russ On Mon, Jun 14, 2010 at 3:48 PM, Luis Daniel Lucio Quiroz < luis.daniel.lucio () gmail com> wrote:
Ok, after reading ineed to drop a highg tcp syn flood, to my squid is this rule fine or shall do other tunning drop tcp any any > 10.1.1.100 3128 ( \ msg:”Squid sync flood”; flow:established,to_server; \ detection_filter: track by_src, count 10, seconds 60; \ sid:1000001; rev:1;) Reegards, LD Le lundi 14 juin 2010 11:58:54, Russ Combs a écrit :That is documented in the Snort manual and in README.filters in the tarball. On Mon, Jun 14, 2010 at 12:43 PM, Luis Daniel Lucio Quiroz < luis.daniel.lucio () gmail com> wrote:in 2.8 how is this rule? Le lundi 14 juin 2010 10:51:44, Russ Combs a écrit :Snort 2.4 is out of date. The latest Snort includes a rate-based attack detection capability that addresses syn floods. Have youtrieddownloadingthe tarball from snort.org and building an inline version? Russ On Sun, Jun 13, 2010 at 6:42 PM, black_angel black_angel < black.sad.angel () gmail com> wrote:Hello everybody my snort inline 2.4 can't detect a syn flood attack using hping3 if someone can help me please to write a rule to avoid this attack tnx------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcp syn flood attack black_angel black_angel (Jun 13)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)