[Snort-devel] spp_flood (the importance of port connection?)
acearns at ...398...
Thu Aug 8 04:39:08 EDT 2002
I'm developing a generic flood detection preprocessor
I've a few design questions.
Currently, I'm able to detect generic ping flood
attack generated by simple commands such as
The icmp flood alert is based on the fact that icmp
doesn't have port numbers associated with it.
So, a simple count of the number of incoming icmp
packets (X) received at a target over the specified
time (Y) is used to raise an alert.
For generic UDP and TCP flood detection:
Should I differentiate the attack based on a
particular port number? ie, should I also track the
number of packets received at each port in order to
raise an alert? (X packets received at Z port over Y
Do I only need to consider the total number of
incoming packets from a specific source (regardless of
which port the packets are target at)? (X packets over
What are your suggestions?
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
More information about the Snort-devel