Re: tcp syn flood attack

[Russ Combs <rcombs () sourcefire com>]

Maybe someone else can help you with snortsam, but for sure you need to
change:

15 minutes , timeout <T>

to

timeout 900,

On Mon, Jun 14, 2010 at 4:48 PM, Luis Daniel Lucio Quiroz <
luis.daniel.lucio () gmail com> wrote:

> thanx
> well what i'm trying is to use rate_filter with snortsam.  I've ported
> sucessfully snortsam to use with snortsam to plush fw rules
>
> > rate_filter \
> >     gen_id 135, sig_id 1, \
> >     track by_dst, \
> >     count 10, seconds 60, \
> >     new_action fwsam: src[IN], 15 minutes , timeout <T>, \
> >     apply_to 10.1.1.100
>
> i wonder if this could work
>
>
>
> Le lundi 14 juin 2010 15:15:30, Russ Combs a écrit :
> > That rule won't exactly catch a syn flood.  Assuming the rule fires the
> way
> > you want without the detection_filter, it will, with the
> detection_filter,
> > fire when more than 10 such *packets* are received in 60 seconds.
> >
> > If you truly want a syn flood detection, you need a rate_filter something
> > like this:
> >
> > rate_filter \
> >     gen_id 135, sig_id 1, \
> >     track by_dst, \
> >     count 10, seconds 60, \
> >     new_action drop, timeout <T>, \
> >     apply_to 10.1.1.100
> >
> > where <T> is the duration you want to drop before allowing the traffic
> > through again.
> >
> > That will catch an excessive rate of syns.
> >
> > Note that this rate filter applies to the destination IP.  You can also
> > write a separate rule and then rate filter that rule.
> >
> > Russ
> >
> > On Mon, Jun 14, 2010 at 3:48 PM, Luis Daniel Lucio Quiroz <
> >
> > luis.daniel.lucio () gmail com> wrote:
> > > Ok, after reading ineed to drop a highg  tcp syn flood, to my squid
> > >
> > > is this rule  fine or shall do other tunning
> > >
> > >
> > > drop tcp any any > 10.1.1.100 3128 ( \
> > >
> > >    msg:”Squid sync flood”;
> > >    flow:established,to_server; \
> > >    detection_filter: track by_src, count 10, seconds 60; \
> > >    sid:1000001; rev:1;)
> > >
> > > Reegards,
> > >
> > > LD
> > >
> > > Le lundi 14 juin 2010 11:58:54, Russ Combs a écrit :
> > > > That is documented in the Snort manual and in README.filters in the
> > > > tarball.
> > > >
> > > > On Mon, Jun 14, 2010 at 12:43 PM, Luis Daniel Lucio Quiroz <
> > > >
> > > > luis.daniel.lucio () gmail com> wrote:
> > > > > in 2.8 how is this rule?
> > > > >
> > > > > Le lundi 14 juin 2010 10:51:44, Russ Combs a écrit :
> > > > > > Snort 2.4 is out of date.  The latest Snort includes a rate-based
> > > > > > attack detection capability that addresses syn floods.  Have you
> > >
> > > tried
> > >
> > > > > downloading
> > > > >
> > > > > > the tarball from snort.org and building an inline version?
> > > > > >
> > > > > > Russ
> > > > > >
> > > > > > On Sun, Jun 13, 2010 at 6:42 PM, black_angel black_angel <
> > > > > >
> > > > > > black.sad.angel () gmail com> wrote:
> > > > > > > Hello everybody
> > > > > > > my snort inline 2.4 can't detect a syn flood attack using
> hping3
> > > > > > > if someone can help me please to write a rule to avoid this
> > > > > > > attack tnx
> -------------------------------------------------------------------------
> > > > > > > ----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > > > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > > > > > lucky parental unit.  See the prize list and enter to win:
> > > > > > > http://p.sf.net/sfu/thinkgeek-promo
> > > > > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users () lists sourceforge net
> > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> -------------------------------------------------------------------------
> > > > > ----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > > > lucky parental unit.  See the prize list and enter to win:
> > > > > http://p.sf.net/sfu/thinkgeek-promo
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Thanx Russ
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users