Re: syn flood detection?

["Vinay A. Mahadik" <VAMahadik () lbl gov>]

Daniel Lopez wrote:
> Hello,
>
> I am using SNORT 1.8.7 and I was performing some tests. I noticed that
> it was not able to detect SYN floods!
> I could read in previous posts that currently, this was not possible.

It wouldn't be easy to set a 'flood' threshold for SYN packets even for
one's own network (think mail server on Monday morning).. 

> Thus, I wanted to know if this will be possible in future versions?
> Then, it is possible to detect SYN floods with the use of SPADE?

Spade only helps in detecting packets going to rare/anomalous ports, not
all/any ports. So a flood of packets to a port that's anyway a popular
port from Spade's standards (think www) isnt going to trigger an alert.

I think SYN flood detection falls into anomaly detection.. requiring
(perhaps impossible) incoming traffic modeling..

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users