[Snort-sigs] detection of smurf attack

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Mon Nov 30 19:39:41 EST 2009


"Since potentially many events will be generated, a detection filter
would normally be used in conjunction with
an event filter to reduce the number of logged events."

Read README.filter at doc directory in tarball .

BTW your rule will trigger any icmp packet (ipv4/ipv6) . Read
README.ipv6 too  =)

Regards,


On Mon, Nov 30, 2009 at 9:38 PM, sofia insat <sofia.insat at ...174...> wrote:
> Hi,
>
> I have to detect smurf attaque with ICMPv6 paquet
> I have used detection_filter and threshold like this:
> lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF -----------";
> detection_filter: track by_src, count 30, seconds 1; sid:1000009;)
> alert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF
> -----------"; threshold: type limit, track by_src, count 30, seconds 1;
> sid:10000010;)
>
> but in alert file I obtain all the alerts
> The script of smurf attack that I have used generates about17000 echo
> request paquets per second and I want to have only one alert
>
> Thanks
>
>
>
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker




More information about the Snort-sigs mailing list