[Snort-users] Snort and Synflood alerts

Abe L. Getchell abegetchell at ...530...
Tue Jan 15 20:00:02 EST 2002


Hi Scott!

Well, since a SYN is a SYN is a SYN, there's really no way of saying
that one SYN packet is part of a SYN flood attack and one isn't.  There
_are_ special characteristics you'll see _occasionally_ with poorly
written SYN flood DoS and DDoS software such as a static IP
identification number, a static source port, a static TCP sequence
number, or even data on the SYN (which is discussed in a different
capacity in another thread on the list right now); I've seen all of
these in the wild.  Snort has all the rules you need to detect the
control channels for the zombie processes which generate the DoS
packets, but Snort really can't tell you if you're experiencing a SYN
flood.

It seems that the portscan preprocessor could be pretty easily modified
to allow it to detect X number of SYN packets, instead of packets to X
number of ports, in a specified amount of time.  Kind of sort of a SYN
flood packet rate detector type thingy.  I might just have to add this
too the list of projects I'll never get time to complete... <sigh>

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Scott Teeters Jr
> Sent: Tuesday, January 15, 2002 11:56 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort and Synflood alerts
> 
> 
> I am working on implementing Snort as our defacto IDS. One of 
> the items my 
> manager wants to see is our synflood activity. Synfloods have 
> been a pain 
> in our side in the past and we want to be able to break out 
> the synflood 
> activity as a separate item in our reporting. I need to know 
> if anyone has 
> seen a Snort signature that specifically targets synfloods? 
> Thanks, Scott Teeters, Jr.
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list