[Snort-users] Dos bufer overflow snort rule

‫moon sun‬ ‫ msun489 at ...131...
Sat Jun 10 12:47:58 EDT 2017

Is this snort rule correct for detecting dos bufer overflow attack ? :

alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 70, seconds 10; sid:10001;rev:1;)

And what is the tcp header features that included in Dos attack ? such as  service type : http , port: 80  and the count , and what else ?

More information about the Snort-users mailing list