[Snort-users] Just one rule
cravietz at ...10661...
Mon Dec 1 22:56:01 EST 2003
I have 100 mbps line which is behind a firewall that also runs snort+snortsam. Currently snort catches lots of abusive types of traffic i.e. network scans, some sort of remote exploit attemps etc. But sometimes that network is experiencing one of these DDoS attacks aimed at one IP inside my network and usually it's being hit so hard that it takes whole network down. Snort sometimes detects such attacks as "Bad traffic", other times as something else. So I was wondering if there is any universal script/rule for snort that detects when only one IP is under constant attack and then alerts Snortsam which later triggers the firewall to block this particular IP inside my network that is being attacked. I'd appreciate any help.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users