[Snort-users] SYN flood detection
pawel at ...5803...
Fri May 10 14:11:03 EDT 2002
Thanks for bringing this up Erek.
Now, I am not sure what the portscan processor really tries to do, if
it only detects scans that are going to different ports.
It will not detect scans going to the same port wheather they go to the
same box or not.
The change to spp_portscan.c is trivial, but as Matt pointed out,
you will have to think what your thresholds should be....
On Fri, May 10, 2002 at 12:01:45PM -0700, Erek Adams wrote:
> On Fri, 10 May 2002, Matt Kettler wrote:
> > spp_portscan is intended to detect portscans, not syn floods. It's designed
> > to detect numerous connections to *different* ports. A syn-flood detector
> > is pretty similar in code design to spp_portscan, but detects something
> > very different.
> And to detect scans to the _same_ port on _different_ machines.
> > perhaps a spp_synflood should be created to detect numerous connections
> > period? I'd suspect you'd want different settings for the portscan and
> > synflood versions anyway. (ie: 4 different ports in 3 seconds is sufficient
> > to call it a portscan, but more like 400 connections to call it a synflood.)
> This would really be a value that would have to be played with... But, yes--I
> think it would be nice to have as a plugin. Any coder voulnteers? ;-)
> Erek Adams
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth at ...382...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users