[Snort-users] SYN packet

Panji Wasmana panji at ...474...
Thu Oct 12 04:17:16 EDT 2000


i already read analysis of denial service attack on tcp, this algorithm
(if i am not wrong) based on finite state, so i trying to  collect data
from my network using snort. i saw the normal trafic and trying to
compare with traffic that contain synflood and portscanning in same
network ( i make some attack simulation). my question:

there is some fixed number for conclusion some packet is part from
scanning port? 
say, if i determined every packet that not complete establish connection
or trying to connect into closed port, is anomaly and how much the
number of packet that can make me conclusion is port scanning or
synflood.

in another paper i read about datamining and analysist normal pattern
from spesified network, how to get normal pattern in fast way? because i
think IDS need something in realtime... and fast.

i am sorry if my question is not in relevant in this mailinglist, but i
think, all audience in this mailinglist are good in security concept.


thanks in advance,

best regards,

panji



More information about the Snort-users mailing list