[Snort-users] tcp syn flood attack

Luis Daniel Lucio Quiroz luis.daniel.lucio at ...11827...
Mon Jun 14 15:48:34 EDT 2010


Ok, after reading ineed to drop a highg  tcp syn flood, to my squid

is this rule  fine or shall do other tunning


drop tcp any any > 10.1.1.100 3128 ( \
    msg:”Squid sync flood”;
    flow:established,to_server; \
    detection_filter: track by_src, count 10, seconds 60; \
    sid:1000001; rev:1;)

Reegards,

LD

Le lundi 14 juin 2010 11:58:54, Russ Combs a écrit :
> That is documented in the Snort manual and in README.filters in the
> tarball.
> 
> On Mon, Jun 14, 2010 at 12:43 PM, Luis Daniel Lucio Quiroz <
> 
> luis.daniel.lucio at ...11827...> wrote:
> > in 2.8 how is this rule?
> > 
> > Le lundi 14 juin 2010 10:51:44, Russ Combs a écrit :
> > > Snort 2.4 is out of date.  The latest Snort includes a rate-based
> > > attack detection capability that addresses syn floods.  Have you tried
> > 
> > downloading
> > 
> > > the tarball from snort.org and building an inline version?
> > > 
> > > Russ
> > > 
> > > On Sun, Jun 13, 2010 at 6:42 PM, black_angel black_angel <
> > > 
> > > black.sad.angel at ...11827...> wrote:
> > > > Hello everybody
> > > > my snort inline 2.4 can't detect a syn flood attack using hping3 if
> > > > someone can help me please to write a rule to avoid this attack
> > > > tnx
> > 
> > -------------------------------------------------------------------------
> > 
> > > > ----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > > lucky parental unit.  See the prize list and enter to win:
> > > > http://p.sf.net/sfu/thinkgeek-promo
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > -------------------------------------------------------------------------
> > ----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > lucky parental unit.  See the prize list and enter to win:
> > http://p.sf.net/sfu/thinkgeek-promo
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list