[Snort-users] DOS attacks

Todd Wease twease at ...1935...
Thu Mar 13 09:02:12 EDT 2008

Hi Kamran,

Land attack is detected in the Snort decoder and teardrop is detected in
the frag3 preprocessor.  There is also a rule set called dos.rules that
you can try.  Snort does not detect flooding DoS attacks such as UDP
flood or TCP SYN flood because the resources required to track these
would in effect DoS Snort.  Snort typically starts tracking a session
after it has seen a server response (such as a SYN/ACK).

Not sure about the Nessus scan, but it could depend on your Snort
configuration and rule set.


Kamran Shafi wrote:
> P.S.
> Is there a specific preprocessor to handle DOS attacks in Snort or it is
> only done through the Snort rules? In specific, I couldn't find any
> rules for flooding DOS attacks and the classical DOS attacks like land
> and teardrop. Do I have to write my own rules to cater for these types
> of attacks?
> Further, I am conducting a full Nessus scan but Snort is only reporting
> very few alerts (20 odd). Is it normal?
> -- 
> Regards
> Kam
> ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list