[Snort-users] DOS rules for Nimda

Richard Ellerbrock richarde at ...6992...
Thu Sep 26 06:56:02 EDT 2002

I am trying to help a very large site that is being killed by denial of
service due to a large number of MS type workstations infected by Nimda.
The standard snort rules are no good as no connection is actually made,
just a HUGE SYN flood looking for open Web servers to infect. Traffic
looks like this:

Each host sends 2x SYN packets exactly the same (same source port, SEQ
and WIN size) to a remote host on port 80. Obviously never gets a reply.
Within a couple of milliseconds, tries another randon destination.

Now my understanding of snort points to the stream4 processor to catch
this stuff, but how to configure. The docs are a little unclear to this
snort newbie. I do get TTL evasion on stream4, but this does not
indicate much.

Any help with rules/setup for this would be great.

More information about the Snort-users mailing list