[Snort-users] SYN flood detection

Matt Kettler mkettler at ...4108...
Fri May 10 09:02:05 EDT 2002


spp_portscan is intended to detect portscans, not syn floods. It's designed 
to detect numerous connections to *different* ports. A syn-flood detector 
is pretty similar in code design to spp_portscan, but detects something 
very different.

perhaps a spp_synflood should be created to detect numerous connections 
period? I'd suspect you'd want different settings for the portscan and 
synflood versions anyway. (ie: 4 different ports in 3 seconds is sufficient 
to call it a portscan, but more like 400 connections to call it a synflood.)


At 03:57 AM 5/10/2002 -0700, Pawel Rogocz wrote:
>I was really surprised to find out snort does not detect syn floods.
>Checking spp_portscan.c it looks like a small change should take care
>of the problem. I am attaching a diff against 1.8.6.
>It works for me, YMMV :-)
>
>
>Pawel
>
>
>*** spp_portscan.old    Fri May 10 03:27:39 2002
>--- spp_portscan.c      Fri May 10 03:39:03 2002
>***************
>*** 666,672 ****
>                           if(currentConnection == NULL)
>                               FatalError(MODNAME ": currentConnection is 
> NULL!!!??\n");
>
>!                         if((currentConnection->dport == dport) && 
>(currentConnection->scanType == scanType))
>                           {
>                               /*
>                                * If the same exact connection already exists,
>--- 666,672 ----
>                           if(currentConnection == NULL)
>                               FatalError(MODNAME ": currentConnection is 
> NULL!!!??\n");
>
>!                         if((currentConnection->sport == sport) && 
>(currentConnection->dport == dport) && (currentConnection->scanType == 
>scanType))
>                           {
>                               /*
>                                * If the same exact connection already exists,
>
>
>--
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list