[Snort-users] Best solution with snort for voip floods

Luis Daniel Lucio Quiroz luis.daniel.lucio at ...11827...
Mon Apr 22 14:09:09 EDT 2013


Maybe this has been asked many times, i dont know.

Im having many UDP (unknown protocol - ntop markes them as unknown) flood
and the worst thing seems that server is answering (icmp and answers).
Anyway, I was wondering a solution with snort+snortsam+iptables in order to
only allow UDP (rtp port range) from IP's that are registered.

So, if extension is registered from ip 1.1.1.1, i will allow to reach ports
10000-20000/udp (example), if it doesnt i will drop packet.

how can this be done?

Regards,

LD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130422/706ea7eb/attachment.html>


More information about the Snort-users mailing list