[Snort-devel] spp_flood (the importance of port connection?)

Chris Green cmg at ...402...
Thu Aug 8 11:26:04 EDT 2002

"Vinay A. Mahadik" <VAMahadik at ...1463...> writes:

> Cearns Angela wrote:
> > 
>> For generic UDP and TCP flood detection:
>> Option 1:
>> -----------
>> Should I differentiate the attack based on a
>> particular port number? ie, should I also track the
>> number of packets received at each port in order to
>> raise an alert? (X packets received at Z port over Y
>> time)
> I think per (dip, dport) should be more effective. Are you only relying
> on X/Y heuristics? That may not exist a decent X/Y rate threshold for
> most networks without some sort of traffic conditioning. If you achieve
> some stable incoming traffic distribution for a given (dport, dip)
> combination, and place the threshold at a few standard deviations above
> the average(?), a flood can still be achieved at rates slightly below
> the known threshold rate for detection. Besides, a steady traffic rate
> distribution typically doesn't exists (changes every hour, between days
> etc). So, if you are looking for real time detection (else effects of
> DoS will be felt and reported before your IDS), then you need to be
> thinking 'anomaly detection' which is much more involved (and I don't
> believe exists, without conditioning).

If you are going to work on this, check out the stats portion of
spp_conversation.  Trying to figure out wether to make it a rule
plugin to check ( which would be more natural ) or a preprocessor to
check ( which would be more speedy ) is a hard call to make.

Chris Green <cmg at ...402...>
Eschew obfuscation.

More information about the Snort-devel mailing list