Snort mailing list archives
Re: SYN flood detection
From: Pawel Rogocz <pawel () rogocz com>
Date: Fri, 10 May 2002 14:10:38 -0700
Thanks for bringing this up Erek. Now, I am not sure what the portscan processor really tries to do, if it only detects scans that are going to different ports. It will not detect scans going to the same port wheather they go to the same box or not. The change to spp_portscan.c is trivial, but as Matt pointed out, you will have to think what your thresholds should be.... Pawel On Fri, May 10, 2002 at 12:01:45PM -0700, Erek Adams wrote:
On Fri, 10 May 2002, Matt Kettler wrote:spp_portscan is intended to detect portscans, not syn floods. It's designed to detect numerous connections to *different* ports. A syn-flood detector is pretty similar in code design to spp_portscan, but detects something very different.And to detect scans to the _same_ port on _different_ machines.perhaps a spp_synflood should be created to detect numerous connections period? I'd suspect you'd want different settings for the portscan and synflood versions anyway. (ie: 4 different ports in 3 seconds is sufficient to call it a portscan, but more like 400 connections to call it a synflood.)This would really be a value that would have to be played with... But, yes--I think it would be nice to have as a plugin. Any coder voulnteers? ;-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SYN flood detection Pawel Rogocz (May 10)
- Re: SYN flood detection Matt Kettler (May 10)
- Re: SYN flood detection Erek Adams (May 10)
- Re: SYN flood detection Pawel Rogocz (May 10)
- Re: SYN flood detection Erek Adams (May 10)
- Re: SYN flood detection Erek Adams (May 10)
- Re: SYN flood detection Matt Kettler (May 10)