[Snort-sigs] detection of smurf attack

Nigel Houghton nhoughton at ...435...
Tue Dec 1 08:26:17 EST 2009


On Tue, Dec 1, 2009 at 3:57 AM, sofia insat <sofia.insat at ...174...> wrote:
>
> I want to alert this attack when I detect the first 20 ICMP packets per second
> how can I do it?
>
>
>
>
> --- En date de : Mar 1.12.09, Rodrigo Montoro(Sp0oKeR) <spooker at ...3418......> a écrit :
>
> De: Rodrigo Montoro(Sp0oKeR) <spooker at ...2420...>
> Objet: Re: [Snort-sigs] detection of smurf attack
> À: "sofia insat" <sofia.insat at ...174...>
> Cc: snort-sigs at lists.sourceforge.net
> Date: Mardi 1 Décembre 2009, 1h39
>
> "Since potentially many events will be generated, a detection filter
> would normally be used in conjunction with
> an event filter to reduce the number of logged events."
>
> Read README.filter at doc directory in tarball .
>
> BTW your rule will trigger any icmp packet (ipv4/ipv6) . Read
> README.ipv6 too  =)
>
> Regards,
>
>
> On Mon, Nov 30, 2009 at 9:38 PM, sofia insat <sofia.insat at ...174...> wrote:
> > Hi,
> >
> > I have to detect smurf attaque with ICMPv6 paquet
> > I have used detection_filter and threshold like this:
> > lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF -----------";
> > detection_filter: track by_src, count 30, seconds 1; sid:1000009;)
> > alert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF
> > -----------"; threshold: type limit, track by_src, count 30, seconds 1;
> > sid:10000010;)
> >
> > but in alert file I obtain all the alerts
> > The script of smurf attack that I have used generates about17000 echo
> > request paquets per second and I want to have only one alert
> >
> > Thanks
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Join us December 9, 2009 for the Red Hat Virtual Experience,
> > a free event focused on virtualization and cloud computing.
> > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > http://p.sf.net/sfu/redhat-sfdev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

It looks like you are getting homework assignments to complete. This
list is not here to answer homework questions.

All the answers you seek are in the Snort manual and the README files
that accompany the distribution. You need to do a little work, read
the documentation and find your own answers.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list