Snort rule writing

[blend ajazi via Snort-sigs <snort-sigs () lists snort org>]

Hello community,

I am wondering how to write snort rule which detects for example a ddos attack by analyzing the
"Source-to-destination packets per second"?
Here is an attempt for ddos attack on TCP (SYN flood)

alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible DoS Attack Type : SYN
flood"; flow:stateless; sid:3; detection_filter:track by_dst, count 20, seconds 10;)


And which rule options do I use for defining the following?

Number of inbound connections per destination IP.
Number of inbound connections per source IP.
Maximum duration of aggregated records


Thank you so much

Best regards

Blend Ajazi

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!