[Snort-users] syn flood detection?

Vinay A. Mahadik VAMahadik at ...6245...
Mon Jul 29 17:18:09 EDT 2002

Daniel Lopez wrote:
> Hello,
> I am using SNORT 1.8.7 and I was performing some tests. I noticed that
> it was not able to detect SYN floods!
> I could read in previous posts that currently, this was not possible.

It wouldn't be easy to set a 'flood' threshold for SYN packets even for
one's own network (think mail server on Monday morning).. 

> Thus, I wanted to know if this will be possible in future versions?
> Then, it is possible to detect SYN floods with the use of SPADE?

Spade only helps in detecting packets going to rare/anomalous ports, not
all/any ports. So a flood of packets to a port that's anyway a popular
port from Spade's standards (think www) isnt going to trigger an alert.

I think SYN flood detection falls into anomaly detection.. requiring
(perhaps impossible) incoming traffic modeling..

Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618

More information about the Snort-users mailing list