[Snort-sigs] detection of smurf attack

sofia insat sofia.insat at ...174...
Mon Nov 30 18:38:55 EST 2009


Hi,

I have to detect smurf attaque with ICMPv6 paquet
I have used detection_filter and threshold like this:
lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF
-----------"; detection_filter: track by_src, count 30, seconds 1;
sid:1000009;) 
alert icmp any any -> any any
(msg:"---------- DOS IPV6: SMURF  -----------"; threshold: type limit,
track by_src, count 30, seconds 1; sid:10000010;)

but in alert file I obtain all the alerts
The script of smurf attack that I have used generates about17000 echo request paquets per second and I want to have only one alert

Thanks


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091130/892087ce/attachment.html>


More information about the Snort-sigs mailing list