[Snort-sigs] detection of smurf attack

Joel Esler jesler at ...435...
Tue Dec 1 08:01:19 EST 2009


This smells like a homework assignment.

J

On Tue, Dec 1, 2009 at 3:57 AM, sofia insat <sofia.insat at ...174...> wrote:

> I want to alert this attack when I detect the first 20 ICMP packets per
> second
> how can I do it?
>
>
>
>
> --- En date de : *Mar 1.12.09, Rodrigo Montoro(Sp0oKeR) <spooker at ...3422.....
> >* a écrit :
>
>
> De: Rodrigo Montoro(Sp0oKeR) <spooker at ...2420...>
> Objet: Re: [Snort-sigs] detection of smurf attack
> À: "sofia insat" <sofia.insat at ...174...>
> Cc: snort-sigs at lists.sourceforge.net
> Date: Mardi 1 Décembre 2009, 1h39
>
>
> "Since potentially many events will be generated, a detection filter
> would normally be used in conjunction with
> an event filter to reduce the number of logged events."
>
> Read README.filter at doc directory in tarball .
>
> BTW your rule will trigger any icmp packet (ipv4/ipv6) . Read
> README.ipv6 too  =)
>
> Regards,
>
>
> On Mon, Nov 30, 2009 at 9:38 PM, sofia insat <sofia.insat at ...174...<http://mc/compose?to=sofia.insat@...174...>>
> wrote:
> > Hi,
> >
> > I have to detect smurf attaque with ICMPv6 paquet
> > I have used detection_filter and threshold like this:
> > lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF
> -----------";
> > detection_filter: track by_src, count 30, seconds 1; sid:1000009;)
> > alert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF
> > -----------"; threshold: type limit, track by_src, count 30, seconds 1;
> > sid:10000010;)
> >
> > but in alert file I obtain all the alerts
> > The script of smurf attack that I have used generates about17000 echo
> > request paquets per second and I want to have only one alert
> >
> > Thanks
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Join us December 9, 2009 for the Red Hat Virtual Experience,
> > a free event focused on virtualization and cloud computing.
> > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > http://p.sf.net/sfu/redhat-sfdev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net<http://mc/compose?to=Snort-sigs@...2724...s.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>
>
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>

-- 
Joel Esler | 302-223-5974 | Gtalk: jesler at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091201/23f8839b/attachment.html>


More information about the Snort-sigs mailing list