[Snort-users] Snort tools for detecting, and alerting based on a DOS attack.

George Walford gwalford at ...7142...
Thu Oct 10 09:33:05 EDT 2002

I am currently using Snort with ACID on my network, and it is great.

However, I have had to reduce the number of rules that snort looks for
otherwise ACID
becomes overloaded (currently in the process of adding more sensors further
down the network segments).

One problem I am faced with however that ACID does not detect very well for
my needs is a DoS or DDoS attack.
With the amount of information in the ACID database an incoming DoS attack
does not show up in the
alerts for some time as it has to compete with previous history in the
database. So, until it reaches
dangerous proportions it is not detected.

What I am asking is for a way to detect and alert the network staff to an
incoming DoS attack in realtime, with a report
including the attacking IP's and the target IP, and preferably bandwith
used. Unfortunatly MRTG is not a
solution in this case (we do have MRTG on the router).

What would be the best tool to use with snort to accomplish this?
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database: 224 - Release Date: 10/3/2002

More information about the Snort-users mailing list