[Snort-devel] spp_flood (the importance of port connection?)

Cearns Angela acearns at ...398...
Thu Aug 8 04:39:08 EDT 2002


I'm developing a generic flood detection preprocessor
for snort.
I've a few design questions.

Currently, I'm able to detect generic ping flood
attack generated by simple commands such as
ping -f 

The icmp flood alert is based on the fact that icmp
doesn't have port numbers associated with it.
So, a simple count of the number of incoming icmp
packets (X) received at a target over the specified
time (Y) is used to raise an alert. 

For generic UDP and TCP flood detection:
Option 1:
Should I differentiate the attack based on a
particular port number? ie, should I also track the
number of packets received at each port in order to
raise an alert? (X packets received at Z port over Y


Option 2:
Do I only need to consider the total number of
incoming packets from a specific source (regardless of
which port the packets are target at)? (X packets over
Y time)

What are your suggestions?


Do You Yahoo!?
HotJobs - Search Thousands of New Jobs

More information about the Snort-devel mailing list