[Snort-devel] Devel Request
alambert at ...89...
Mon Oct 23 16:51:24 EDT 2000
Anyone feel like whipping up a packet-flood detection
pre-processor? I would think it would be relatively easy to hack up
spp_portscan a bit and get one that would work for such uses (mainly just
need to add ICMP packet rate checking, and modify the alert messages a
small bit I think: "spp_flood: [TCP/UDP/ICMP] flood detected from $IPADDR:
500 packets in under 5 seconds" type thing). But my C skills leave a lot
to be desired (otherwise I'd do it myself), so I may have no clue what I
just asked for. :)
Either that; or if someone knows a good way to do the same thing
(DoS/Wannabe DoS attack detection) w/o generating a ton of alerts, that'd
be cool too. Thanks in advance.
More information about the Snort-devel