[Snort-users] tcp syn flood attack

Russ Combs rcombs at ...1935...
Mon Jun 14 16:15:30 EDT 2010


That rule won't exactly catch a syn flood.  Assuming the rule fires the way
you want without the detection_filter, it will, with the detection_filter,
fire when more than 10 such *packets* are received in 60 seconds.

If you truly want a syn flood detection, you need a rate_filter something
like this:

rate_filter \
    gen_id 135, sig_id 1, \
    track by_dst, \
    count 10, seconds 60, \
    new_action drop, timeout <T>, \
    apply_to 10.1.1.100

where <T> is the duration you want to drop before allowing the traffic
through again.

That will catch an excessive rate of syns.

Note that this rate filter applies to the destination IP.  You can also
write a separate rule and then rate filter that rule.

Russ

On Mon, Jun 14, 2010 at 3:48 PM, Luis Daniel Lucio Quiroz <
luis.daniel.lucio at ...11827...> wrote:

> Ok, after reading ineed to drop a highg  tcp syn flood, to my squid
>
> is this rule  fine or shall do other tunning
>
>
> drop tcp any any > 10.1.1.100 3128 ( \
>    msg:”Squid sync flood”;
>    flow:established,to_server; \
>    detection_filter: track by_src, count 10, seconds 60; \
>    sid:1000001; rev:1;)
>
> Reegards,
>
> LD
>
> Le lundi 14 juin 2010 11:58:54, Russ Combs a écrit :
> > That is documented in the Snort manual and in README.filters in the
> > tarball.
> >
> > On Mon, Jun 14, 2010 at 12:43 PM, Luis Daniel Lucio Quiroz <
> >
> > luis.daniel.lucio at ...11827...> wrote:
> > > in 2.8 how is this rule?
> > >
> > > Le lundi 14 juin 2010 10:51:44, Russ Combs a écrit :
> > > > Snort 2.4 is out of date.  The latest Snort includes a rate-based
> > > > attack detection capability that addresses syn floods.  Have you
> tried
> > >
> > > downloading
> > >
> > > > the tarball from snort.org and building an inline version?
> > > >
> > > > Russ
> > > >
> > > > On Sun, Jun 13, 2010 at 6:42 PM, black_angel black_angel <
> > > >
> > > > black.sad.angel at ...11827...> wrote:
> > > > > Hello everybody
> > > > > my snort inline 2.4 can't detect a syn flood attack using hping3 if
> > > > > someone can help me please to write a rule to avoid this attack
> > > > > tnx
> > >
> > >
> -------------------------------------------------------------------------
> > >
> > > > > ----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > > > lucky parental unit.  See the prize list and enter to win:
> > > > > http://p.sf.net/sfu/thinkgeek-promo
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users at lists.sourceforge.net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> -------------------------------------------------------------------------
> > > ----- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > lucky parental unit.  See the prize list and enter to win:
> > > http://p.sf.net/sfu/thinkgeek-promo
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100614/6a5834a6/attachment.html>


More information about the Snort-users mailing list