[Snort-users] SYN flood detection

Pawel Rogocz pawel at ...5803...
Fri May 10 03:58:02 EDT 2002


I was really surprised to find out snort does not detect syn floods.
Checking spp_portscan.c it looks like a small change should take care
of the problem. I am attaching a diff against 1.8.6.
It works for me, YMMV :-)


Pawel


*** spp_portscan.old	Fri May 10 03:27:39 2002
--- spp_portscan.c	Fri May 10 03:39:03 2002
***************
*** 666,672 ****
                          if(currentConnection == NULL)
                              FatalError(MODNAME ": currentConnection is NULL!!!??\n");
  
!                         if((currentConnection->dport == dport) && (currentConnection->scanType == scanType))
                          {
                              /*
                               * If the same exact connection already exists,
--- 666,672 ----
                          if(currentConnection == NULL)
                              FatalError(MODNAME ": currentConnection is NULL!!!??\n");
  
!                         if((currentConnection->sport == sport) && (currentConnection->dport == dport) && (currentConnection->scanType == scanType))
                          {
                              /*
                               * If the same exact connection already exists,


-- 




More information about the Snort-users mailing list