[Snort-sigs] I need a rule for synk4.c attack

Chris Green cmg at ...435...
Thu Apr 11 07:18:27 EDT 2002


Ali BASEL <alib at ...505...> writes:

> Hi,

> But, I wonder why snort can not detect it when there is no FIN bit ?

A syn flooder is a rate limiting problem and is something we don't
detect very well at the moment that and the best you can do is do rate
std deviation of syns detected
>
> What should I do ?
>
> P.S.: If you want, I can send the program also (synk4.c).

yes please do so we can look at the source and see if it has any
problems that allow it to be detected easily.. 
-- 
Chris Green <cmg at ...435...>
Laugh and the world laughs with you, snore and you sleep alone.





More information about the Snort-sigs mailing list