[Snort-devel] Devel Request

A.L.Lambert alambert at ...89...
Mon Oct 23 16:51:24 EDT 2000


	Anyone feel like whipping up a packet-flood detection
pre-processor?  I would think it would be relatively easy to hack up
spp_portscan a bit and get one that would work for such uses (mainly just
need to add ICMP packet rate checking, and modify the alert messages a
small bit I think: "spp_flood: [TCP/UDP/ICMP] flood detected from $IPADDR:
500 packets in under 5 seconds" type thing).  But my C skills leave a lot
to be desired (otherwise I'd do it myself), so I may have no clue what I
just asked for. :)

	Either that; or if someone knows a good way to do the same thing
(DoS/Wannabe DoS attack detection) w/o generating a ton of alerts, that'd
be cool too.  Thanks in advance.

-- A.L.Lambert





More information about the Snort-devel mailing list