[Snort-users] SYN packet

Martin Roesch roesch at ...421...
Sat Oct 14 03:01:32 EDT 2000


Check out SPICE/SPADE at http://www.silicondefense.com, I think this might
have the information you're interested in...

    -Marty

Panji Wasmana wrote:
> 
> i already read analysis of denial service attack on tcp, this algorithm
> (if i am not wrong) based on finite state, so i trying to  collect data
> from my network using snort. i saw the normal trafic and trying to
> compare with traffic that contain synflood and portscanning in same
> network ( i make some attack simulation). my question:
> 
> there is some fixed number for conclusion some packet is part from
> scanning port?
> say, if i determined every packet that not complete establish connection
> or trying to connect into closed port, is anomaly and how much the
> number of packet that can make me conclusion is port scanning or
> synflood.
> 
> in another paper i read about datamining and analysist normal pattern
> from spesified network, how to get normal pattern in fast way? because i
> think IDS need something in realtime... and fast.
> 
> i am sorry if my question is not in relevant in this mailinglist, but i
> think, all audience in this mailinglist are good in security concept.
> 
> thanks in advance,
> 
> best regards,
> 
> panji
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list