[Oisf-users] tracking source and destination port

Michael Hoffrath Hoffrath at gmx.de
Thu Jul 4 16:17:46 UTC 2013


some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?

The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"

Kind Regards

More information about the Oisf-users mailing list