Snort mailing list archives
Snort rule writing
From: blend ajazi via Snort-sigs <snort-sigs () lists snort org>
Date: Sat, 24 Sep 2022 14:05:22 +0000
Hello community, I am wondering how to write snort rule which detects for example a ddos attack by analyzing the "Source-to-destination packets per second"? Here is an attempt for ddos attack on TCP (SYN flood) alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible DoS Attack Type : SYN flood"; flow:stateless; sid:3; detection_filter:track by_dst, count 20, seconds 10;) And which rule options do I use for defining the following? Number of inbound connections per destination IP. Number of inbound connections per source IP. Maximum duration of aggregated records Thank you so much Best regards Blend Ajazi
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort rule writing blend ajazi via Snort-sigs (Sep 24)