mkettler at ...4108...
Wed Nov 12 09:52:06 EST 2003
At 10:47 AM 11/12/2003, Frank Barton wrote:
>I've been looking for a rule that would detect a syn-flood. and the only
>way I can think of
>doing this would be with N "activate" rules (Where N is the number of SYN
>arive in a specified time), and I think there's got to be a better way.
>after reading the rules for dos-attacks, all I saw was that each tool that
>is detected, is
>detected by some content string, not specifically by a volume.
>the documentation pdf doesn't have anything in it about a "count" option,
>or any other way
>that I can think of to count packets.
>if anybody has any ideas, I'd be most thankful.
This would really need to be done in the code itself with some kind of
variant of spp_portscan. (the classic spp_portscan is implemented as an
event counter, which is exactly what you'd need)
Code-wise it would be fairly trivial to modify spp_portscan's basic logic
to be a synflood detector instead of a portscan detector.. but AFAIK
nobody's done it before.
If you dig in the archives, you'll find this exact topic has been discussed
More information about the Snort-users