[Oisf-users] tracking source and destination port
Michael Hoffrath
Hoffrath at gmx.de
Thu Jul 4 16:17:46 UTC 2013
Hello,
some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?
The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"
Kind Regards
Michael
More information about the Oisf-users
mailing list