[Snort-users] syn flood detection?

Vinay A. Mahadik VAMahadik at ...6245...
Mon Jul 29 17:18:09 EDT 2002


Daniel Lopez wrote:
> 
> Hello,
> 
> I am using SNORT 1.8.7 and I was performing some tests. I noticed that
> it was not able to detect SYN floods!
> I could read in previous posts that currently, this was not possible.
> 

It wouldn't be easy to set a 'flood' threshold for SYN packets even for
one's own network (think mail server on Monday morning).. 

> Thus, I wanted to know if this will be possible in future versions?
> Then, it is possible to detect SYN floods with the use of SPADE?
> 

Spade only helps in detecting packets going to rare/anomalous ports, not
all/any ports. So a flood of packets to a port that's anyway a popular
port from Spade's standards (think www) isnt going to trigger an alert.

I think SYN flood detection falls into anomaly detection.. requiring
(perhaps impossible) incoming traffic modeling..

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list