[Snort-users] Syn-Flood

Frank Barton pauling at ...7195...
Wed Nov 12 07:49:06 EST 2003


I've been looking for a rule that would detect a syn-flood. and the only way I can think of 
doing this would be with N "activate" rules (Where N is the number of SYN packets that 
arive in a specified time), and I think there's got to be a better way.

after reading the rules for dos-attacks, all I saw was that each tool that is detected, is 
detected by some content string, not specifically by a volume.

the documentation pdf doesn't have anything in it about a "count" option, or any other way 
that I can think of to count packets.

if anybody has any ideas, I'd be most thankful.

ob: snort --V: 2.0.0\

-- 
Frank Barton
Starwolf.biz Systems Administrator
www.starwolf.biz/~pauling (My Key is linked there.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031112/266a4336/attachment.sig>


More information about the Snort-users mailing list