alert tcp $HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless;threshold: type both, track by_src, count 70, seconds 10; sid:10001;rev:1;)
Asked
Active
Viewed 1,763 times
1
-
this is a dos attack and above rule is used ofr dos attack – Sourav Tathgur May 18 '17 at 19:08
1 Answers
2
Refer to link : http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html
Example:
Image source : http://kangmyounghun.blogspot.com/2017/01/snort-threshold.html
Mr.kang
- 587
- 6
- 17
-
Hi Mr. Kang I am just making my project for only stop dos attack using snort rule but I didn't know how to write code to match the coming packets with this rule and how it gets triggerd .any code related help for matching – Sourav Tathgur May 20 '17 at 18:41
-
@SouravTathgur Refer to link : http://stackoverflow.com/questions/43579701/what-is-difference-between-syn-flood-and-port-scan-attack/43589682#43589682 – Mr.kang May 21 '17 at 06:55
-
that suggestion help me but i want to know how the rule will be triggered when the attack occur mean what to write in code to trigger in rule when attack occur – Sourav Tathgur May 21 '17 at 15:54