Snort detecting distributed syn floods
From: Brian T (briant4592_at_hotmail.com)
Date: 01/10/05
- Previous message: Erik F: "Re: ForeScout ActiveScout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ids@securityfocus.com Date: Mon, 10 Jan 2005 13:38:45 -0500
Hello List,
Over the past several months I have been experiencing intermittent DDoS
attempts. The traffic is a distributed syn flood that usually goes after
known backdoored ports and targets 40k+ IPs. We are using snort and have a
tap in front of the firewall. I would like to set up a detection mechanism
for this type of attack but since the target ports keep changing I'm not
sure Snort has the capability of performing this type of detection (sounds
like I may need something be anomaly based). I want to detect a distributed
syn flood/scan without having the related IDS rule(s) tied to any specific
ports. The motive is to be proactive instead of adding a rule after an
attack has occurred. I'm relatively new to snort and was hoping to get some
feedback from anyone who has used snort to detect this type of attack.
Thanks,
Brian T
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Erik F: "Re: ForeScout ActiveScout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
