[Snort-users] spoof detection?

Martin Forest martin at ...4069...
Tue Nov 13 18:10:02 EST 2001


> *       All machines on the Net receiving these packets that don't have port
> 21 open, respond to my web server with a RST, thinking my web server is the
> source of the packets.
> *       So now my web server is receiving tons of RSTs from different hosts
> on the Net, where enough of them could cause a denial of service.
> 
> Is there a way to setup Snort to look for a high threshold of RSTs so I can
> tell when someone might be spoofing my address and trying to cause a denial
> of service on my site?

I might have miss understood your question. But why would you do
something like that with an IDS system. That is normally a task for a
firewall, not an IDS system. IPTables is the perfect task for this. It
uses state full inspection and you can configure logging in many ways
for different events, with ease configure anti spoofing... I.e. log
(alert) 
/ block if I receive mroe than x nr ob events during n seconds...

(If ISP's around the world know what they were doing and configured anti
spoofing on all gateways, we would have a much smaller problem with
spoofing... I use to work for an ISP in New Zealand and save several GIG
of data every day when filtered spoofing.)
/Martin Forest




More information about the Snort-users mailing list