[Snort-devel] Devel Request

Martin Roesch roesch at ...48...
Tue Oct 24 18:43:54 EDT 2000


Good idea, anyone up for it?  I may be able to get to it once we get the other
1.7 stuff ironed out a little more.  Wasn't somebody working on ICMP covert
channel detection a while back?  What ever happened to that?

    -Marty

"A.L.Lambert" wrote:
> 
>         Anyone feel like whipping up a packet-flood detection
> pre-processor?  I would think it would be relatively easy to hack up
> spp_portscan a bit and get one that would work for such uses (mainly just
> need to add ICMP packet rate checking, and modify the alert messages a
> small bit I think: "spp_flood: [TCP/UDP/ICMP] flood detected from $IPADDR:
> 500 packets in under 5 seconds" type thing).  But my C skills leave a lot
> to be desired (otherwise I'd do it myself), so I may have no clue what I
> just asked for. :)
> 
>         Either that; or if someone knows a good way to do the same thing
> (DoS/Wannabe DoS attack detection) w/o generating a ton of alerts, that'd
> be cool too.  Thanks in advance.
> 
> -- A.L.Lambert
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list