[Snort-sigs] I need a rule for synk4.c attack

Ali BASEL alib at ...505...
Thu Apr 11 07:41:47 EDT 2002


Hi,

I am attaching the synk4.c code.
Run it without giving a port range, like that:
# ./syn4k 10.10.10.10 destination_ip 80 80
(if you haven't enabled syncookies in your redhat or any other 
distrubition, it can make busy the apache web service)

I have tried several sleep times in the code... usleep(xxx);

Regards,
Ali.

Chris Green wrote:

> Ali BASEL <alib at ...505...> writes:
> 
> 
>>Hi,
>>
> 
>>But, I wonder why snort can not detect it when there is no FIN bit ?
>>
> 
> A syn flooder is a rate limiting problem and is something we don't
> detect very well at the moment that and the best you can do is do rate
> std deviation of syns detected
> 
>>What should I do ?
>>
>>P.S.: If you want, I can send the program also (synk4.c).
>>
> 
> yes please do so we can look at the source and see if it has any
> problems that allow it to be detected easily.. 
> 

-- 
Ali BASEL

Sabanci University
IT Dept.
Tel: +90 216 483 91 94
Http://people.sabanciuniv.edu/~alib
-------------- next part --------------
A non-text attachment was scrubbed...
Name: synk4.c.tar.z
Type: application/x-compress
Size: 3220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020411/c82dc5f0/attachment.bin>


More information about the Snort-sigs mailing list