Re: Syn-Flood

[Matt Kettler <mkettler () evi-inc com>]

At 10:47 AM 11/12/2003, Frank Barton wrote:
> I've been looking for a rule that would detect a syn-flood. and the only 
> way I can think of
> doing this would be with N "activate" rules (Where N is the number of SYN 
> packets that
> arive in a specified time), and I think there's got to be a better way.
>
> after reading the rules for dos-attacks, all I saw was that each tool that 
> is detected, is
> detected by some content string, not specifically by a volume.
>
> the documentation pdf doesn't have anything in it about a "count" option, 
> or any other way
> that I can think of to count packets.
>
> if anybody has any ideas, I'd be most thankful.

This would really need to be done in the code itself with some kind of 
variant of spp_portscan. (the classic spp_portscan is implemented as an 
event counter, which is exactly what you'd need)

Code-wise it would be fairly trivial to modify spp_portscan's basic logic 
to be a synflood detector instead of a portscan detector.. but AFAIK 
nobody's done it before.

If you dig in the archives, you'll find this exact topic has been discussed 
before..

http://www.mcabee.org/lists/snort-users/May-02/msg00237.html



-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users