Snort tools for detecting, and alerting based on a DOS attack.

["George Walford" <gwalford () rackforce com>]

I am currently using Snort with ACID on my network, and it is great.

However, I have had to reduce the number of rules that snort looks for
otherwise ACID
becomes overloaded (currently in the process of adding more sensors further
down the network segments).

One problem I am faced with however that ACID does not detect very well for
my needs is a DoS or DDoS attack.
With the amount of information in the ACID database an incoming DoS attack
does not show up in the
alerts for some time as it has to compete with previous history in the
database. So, until it reaches
dangerous proportions it is not detected.

What I am asking is for a way to detect and alert the network staff to an
incoming DoS attack in realtime, with a report
including the attacking IP's and the target IP, and preferably bandwith
used. Unfortunatly MRTG is not a
solution in this case (we do have MRTG on the router).

What would be the best tool to use with snort to accomplish this?
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database: 224 - Release Date: 10/3/2002



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users