Snort mailing list archives
Writing snort rules for dos detection in tcpdump files
From: Aneela Safdar <ansaf_130 () yahoo com>
Date: Fri, 25 Dec 2015 12:50:06 +0000 (UTC)
I have got some tcpdump files from KDD-99 dataset and I am trying to find out Neptune attacks recorded in them. I am writing rules in standard form, for instance: alert tcp any any -> any 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; classtype: attempted-dos; threshold: type threshold, track by_src, count 20, seconds 6; sid:1000001;rev:1;) According to this very rule, I should be alerted only after 6 seconds if more than 20 rules are found, but it generates alert for all packets having SYN enabled. Can anybody help me here? Regards, Aneela Safdar
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Writing snort rules for dos detection in tcpdump files Aneela Safdar (Dec 25)