Snort mailing list archives
Re: tcp syn flood attack
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 14 Jun 2010 16:55:05 -0400
Maybe someone else can help you with snortsam, but for sure you need to change: 15 minutes , timeout <T> to timeout 900, On Mon, Jun 14, 2010 at 4:48 PM, Luis Daniel Lucio Quiroz < luis.daniel.lucio () gmail com> wrote:
thanx well what i'm trying is to use rate_filter with snortsam. I've ported sucessfully snortsam to use with snortsam to plush fw rulesrate_filter \ gen_id 135, sig_id 1, \ track by_dst, \ count 10, seconds 60, \ new_action fwsam: src[IN], 15 minutes , timeout <T>, \ apply_to 10.1.1.100i wonder if this could work Le lundi 14 juin 2010 15:15:30, Russ Combs a écrit :That rule won't exactly catch a syn flood. Assuming the rule fires thewayyou want without the detection_filter, it will, with thedetection_filter,fire when more than 10 such *packets* are received in 60 seconds. If you truly want a syn flood detection, you need a rate_filter something like this: rate_filter \ gen_id 135, sig_id 1, \ track by_dst, \ count 10, seconds 60, \ new_action drop, timeout <T>, \ apply_to 10.1.1.100 where <T> is the duration you want to drop before allowing the traffic through again. That will catch an excessive rate of syns. Note that this rate filter applies to the destination IP. You can also write a separate rule and then rate filter that rule. Russ On Mon, Jun 14, 2010 at 3:48 PM, Luis Daniel Lucio Quiroz < luis.daniel.lucio () gmail com> wrote:Ok, after reading ineed to drop a highg tcp syn flood, to my squid is this rule fine or shall do other tunning drop tcp any any > 10.1.1.100 3128 ( \ msg:”Squid sync flood”; flow:established,to_server; \ detection_filter: track by_src, count 10, seconds 60; \ sid:1000001; rev:1;) Reegards, LD Le lundi 14 juin 2010 11:58:54, Russ Combs a écrit :That is documented in the Snort manual and in README.filters in the tarball. On Mon, Jun 14, 2010 at 12:43 PM, Luis Daniel Lucio Quiroz < luis.daniel.lucio () gmail com> wrote:in 2.8 how is this rule? Le lundi 14 juin 2010 10:51:44, Russ Combs a écrit :Snort 2.4 is out of date. The latest Snort includes a rate-based attack detection capability that addresses syn floods. Have youtrieddownloadingthe tarball from snort.org and building an inline version? Russ On Sun, Jun 13, 2010 at 6:42 PM, black_angel black_angel < black.sad.angel () gmail com> wrote:Hello everybody my snort inline 2.4 can't detect a syn flood attack usinghping3if someone can help me please to write a rule to avoid this attack tnx------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersThanx Russ
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcp syn flood attack black_angel black_angel (Jun 13)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)
- Re: tcp syn flood attack Luis Daniel Lucio Quiroz (Jun 14)
- Re: tcp syn flood attack Russ Combs (Jun 14)