[Snort-users] DOS rules for Nimda

Martin Roesch roesch at ...1935...
Thu Sep 26 07:28:03 EDT 2002

Is the seq number constant for every connection?  If so you could do a
simple detection rule looking for the seq + window with the SYN flag set.
If you use version 1.9 you can even use the new threshold keyword to only
get one event notification for every X alerts....


On 9/26/02 7:11 AM, "Richard Ellerbrock" <richarde at ...6992...> wrote:

> I am trying to help a very large site that is being killed by denial of
> service due to a large number of MS type workstations infected by Nimda.
> The standard snort rules are no good as no connection is actually made,
> just a HUGE SYN flood looking for open Web servers to infect. Traffic
> looks like this:
> Each host sends 2x SYN packets exactly the same (same source port, SEQ
> and WIN size) to a remote host on port 80. Obviously never gets a reply.
> Within a couple of milliseconds, tries another randon destination.
> Now my understanding of snort points to the stream4 processor to catch
> this stuff, but how to configure. The docs are a little unclear to this
> snort newbie. I do get TTL evasion on stream4, but this does not
> indicate much.
> Any help with rules/setup for this would be great.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list