Snort mailing list archives
Re: tcp flood
From: SN ORT <snort_on_acid () yahoo com>
Date: Mon, 7 Mar 2005 12:25:10 -0800 (PST)
This is really a simple layer 3 issue that should be dealt with at your perimeter, and not on IDS or even firewall if it can be avoided. You can rate-limit on just about any Cisco device (including PiX) to limit DoS attacks, including TCP SYN attacks, by using access-lists with rate-limit commands. Look to your Internet routers to stop the attacks. Cheese! Marc
Message: 1 Date: Mon, 07 Mar 2005 13:24:41 -0500 To: "Joaquin Grech" <joaco () bocazas com>, <snort-users () lists sourceforge net> From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] tcp flood At 12:19 AM 3/7/2005, Joaquin Grech wrote:If this can't be done with snort, is there anysoftware to do that? Itried several firewalls but none had throttlehanding like that per ip. With plain IDS-mode snort you're not going to be able to block anything. Sort can be made to block stuff using inline mode, or using one of several add-ons. However, I've I've never run snort in inline mode, so I can't comment on this. You'd probably want to use the classic portscan preprocessor to do this, or use thresholding in a rule. As for firewalls here's what I know of that can help with connection flooding: IPTables with the "limit" extension can do this easily and with a great deal of flexibility. You can even specify a burst connection limit before the rate limiter engages, and an overall rate in connections per second, minute, hour, or day. Juniper Netscreen products can do this, but not quite the way you want. It's the source threshold in zone screen, which specifies a per-source connection-rate limit. Admittedly the limit is in pps, so you can't do 3 per 5 seconds, but you can do something like 3/s quite easily this way and keep your problems at least somewhat regulated. Cisco pix firewalls can't set a per-source limit, but can set a limit on the total embryonic connections, and total connections per server using the static command. This doesn't help kill an attacker, but does help put an upper bound on the load problems. However, this has the drawback of also limiting legitimate connections while you're being flooded. Not very useful. --__--__-- Message: 2 Date: Fri, 4 Mar 2005 11:49:59 -0700 From: "Michael Graybill" <mgraybill () firstchoiceusa com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Help with Base ???? This is a multi-part message in MIME format. ------_=_NextPart_001_01C520EA.F7FE7337 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Ok I installed snort and Base. I do have stuff in the logs (/var/log/snort/alert) but when I log into Base, It isn't pulling anything from the logs. Can someone help me fix this? =20 TIA, =20 Michael ------_=_NextPart_001_01C520EA.F7FE7337 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Ok I installed snort and Base. I do have stuff in the = logs (/var/log/snort/alert) but when I log into Base, It isnt pulling anything from the logs. Can someone help me fix = this?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>TIA,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
=== message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcp flood Joaquin Grech (Mar 06)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 07)
- Message not available
- RE: tcp flood Matt Kettler (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- <Possible follow-ups>
- Re: tcp flood SN ORT (Mar 07)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood SN ORT (Mar 08)
- Re: tcp flood Matt Kettler (Mar 08)