<div dir="ltr"><div>UDP sig with threshold might be interesting... Will be expensive though. What do yo guy's think?<br><br></div>Regards,<br><br>Will<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <span dir="ltr"><<a href="mailto:scastle@...3555..." target="_blank">scastle@...3555...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I see that using the chargen port for DDoS is happening: <a href="https://isc.sans.edu/diary/A+Chargen-based+DDoS+Chargen+is+still+a+thing+/15647" target="_blank">https://isc.sans.edu/diary/A+Chargen-based+DDoS+Chargen+is+still+a+thing+/15647</a><br>

<br>
Now, I block all these both ways at my firewall (actually, on the outside, I think they are in a router ACL), but looking through the complete set of rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271) that seems to address this port range of the TCP and UDP "trivial" (AKA "simple") ports. Has there ever been one? Should we have one?<br>

<span class="HOEnZb"><font color="#888888"><br>
--<br>
Shane Castle<br>
Data Security Mgr, Boulder County IT<br>
<br>
<br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@...3694...">Emerging-sigs@...3694...</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!<br>
</font></span></blockquote></div><br></div>