[Snort-sigs] I need a rule for synk4.c attack
alib at ...505...
Thu Apr 11 07:41:47 EDT 2002
I am attaching the synk4.c code.
Run it without giving a port range, like that:
# ./syn4k 10.10.10.10 destination_ip 80 80
(if you haven't enabled syncookies in your redhat or any other
distrubition, it can make busy the apache web service)
I have tried several sleep times in the code... usleep(xxx);
Chris Green wrote:
> Ali BASEL <alib at ...505...> writes:
>>But, I wonder why snort can not detect it when there is no FIN bit ?
> A syn flooder is a rate limiting problem and is something we don't
> detect very well at the moment that and the best you can do is do rate
> std deviation of syns detected
>>What should I do ?
>>P.S.: If you want, I can send the program also (synk4.c).
> yes please do so we can look at the source and see if it has any
> problems that allow it to be detected easily..
Tel: +90 216 483 91 94
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3220 bytes
Desc: not available
More information about the Snort-sigs