[Oisf-users] tracking source and destination port
Cooper F. Nelson
cnelson at ucsd.edu
Sat Jul 6 00:25:59 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have a question for the suricata developers.
Will the "ET SCAN behavioral" sigs still trigger if you are using the
AF_PACKET 'worker' mode? The issue is that the flows are going to be
spread across multiple threads, so I'm wondering if the threshold
tracking will still work.
On 7/4/2013 11:16 AM, Cooper F. Nelson wrote:
> On 7/4/2013 10:54 AM, Michael wrote:
>>>
>>> The DDOS attacks you describe look like normal traffic flows; so its
>>> hard to detect it automatically.
>
>> Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)
>
>
> Well, to a human that looks unusual. To a router, IDS or server they
> are just normal SYN packets.
>
>> alert tcp $EXTERNAL_NET $HOME_NET -> any any (msg:"LOCAL Potential DDOS, high volume SYN traffic"; flags: S,12; threshold: type both, track by_dst, count 1000, seconds 10;
>
> Thinking about this some more, if the DDOS was higher than any observed
> prior peak traffic (as measured by new flows per second) to a single
> host, the above rule should work. In fact, it will even work if the
> attacker uses random src/dst ports. Its just up to you to define what
> constitutes a DDOS attack.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR12QXAAoJEKIFRYQsa8FW4mYH/A/FmVICFUCGbVOlx/0kLGGv
w9tVOQYVH3ctAjGRRw4zGJcUB+tAHp/39fDTlAeffonia/jMO+6dZK+OQBtWmSk6
VXQZD6Oad1yViBYgBEt3YjZAts3tz0Ga7MOCPufJkz1pa04AaKvJ7+yV4JwZZt8q
3UXeTIo4hUz3UQMooFTWHqXIf2EJVWPtq8ipxBR+7NhdQyaA8RDlQSEYyKNOvKIY
9L+PvGy5shJ/ndBdkMytGqAVxYT50P7572qWVPiHm1xiWHOG/RhF0qNC4iP7JxXi
csE5RMPfDQbWtm5lW3aOsCOseGzrZywvhxRoMvqywBZEoRLz1iMrHkKVcR7hfbk=
=hgsu
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list