[Snort-users] spp_flood (the importance of port connection?)

Cearns Angela acearns at ...131...
Thu Aug 8 04:39:05 EDT 2002


Hello:

I'm developing a generic flood detection preprocessor
for snort.
I've a few design questions.

Currently, I'm able to detect generic ping flood
attack generated by simple commands such as
ping -f 

The icmp flood alert is based on the fact that icmp
doesn't have port numbers associated with it.
So, a simple count of the number of incoming icmp
packets (X) received at a target over the specified
time (Y) is used to raise an alert. 

For generic UDP and TCP flood detection:
Option 1:
-----------
Should I differentiate the attack based on a
particular port number? ie, should I also track the
number of packets received at each port in order to
raise an alert? (X packets received at Z port over Y
time)

or

Option 2:
-----------
Do I only need to consider the total number of
incoming packets from a specific source (regardless of
which port the packets are target at)? (X packets over
Y time)

What are your suggestions?

Thanks,
Ang

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com




More information about the Snort-users mailing list