[Snort-users] Writing snort rules for dos detection in tcpdump files

Aneela Safdar ansaf_130 at ...131...
Fri Dec 25 07:50:06 EST 2015

I have got some tcpdump files from KDD-99 dataset and I am trying to find out Neptune attacks recorded in them. I am writing rules in standard form, for instance:
alert tcp any any -> any 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; classtype: attempted-dos; threshold: type threshold, track by_src, count 20, seconds 6; sid:1000001;rev:1;)

According to this very rule, I should be alerted only after 6 seconds if more than 20 rules are found, but it generates alert for all packets having SYN enabled. Can anybody help me here? Regards, Aneela Safdar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151225/4059b351/attachment.html>

More information about the Snort-users mailing list