[Snort-sigs] I need a rule for synk4.c attack
alib at ...505...
Wed Apr 10 06:42:18 EDT 2002
How can I write a snort (snort 1.8.6) rule for the synk4.c syn flood
(with spoofed IP) attack program ?
Here is the tcpdump of the attack:(destination port 80 supplied as an
04/09-17:05:43.860348 10.10.10.10:1368 -> 10.15.0.27:80
TCP TTL:30 TOS:0x0 ID:29579 IpLen:20 DgmLen:40
1*****S* Seq: 0x28376839 Ack: 0x0 Win: 0xFFFF TcpLen: 20
I have tried the above rule to detect the attack, but It doesn't
recognize it (I have changed the sequence number of the original rule)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood";
flags: S; seq: 674719801; reference:arachnids,253;
classtype:attempted-dos; sid:241; rev:2;)
Tel: +90 216 483 91 94
More information about the Snort-sigs