[Oisf-users] tracking source and destination port

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a question for the suricata developers.

Will the "ET SCAN behavioral" sigs still trigger if you are using the
AF_PACKET 'worker' mode?  The issue is that the flows are going to be
spread across multiple threads, so I'm wondering if the threshold
tracking will still work.

On 7/4/2013 11:16 AM, Cooper F. Nelson wrote:
> On 7/4/2013 10:54 AM, Michael wrote:
>>>
>>> The DDOS attacks you describe look like normal traffic flows; so its
>>> hard to detect it automatically.
> 
>> Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)
> 
> 
> Well, to a human that looks unusual.  To a router, IDS or server they
> are just normal SYN packets.
> 
>> alert tcp $EXTERNAL_NET $HOME_NET -> any any (msg:"LOCAL Potential DDOS, high volume SYN traffic"; flags: S,12; threshold: type both, track by_dst, count 1000, seconds 10;
> 
> Thinking about this some more, if the DDOS was higher than any observed
> prior peak traffic (as measured by new flows per second) to a single
> host, the above rule should work.  In fact, it will even work if the
> attacker uses random src/dst ports.  Its just up to you to define what
> constitutes a DDOS attack.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR12QXAAoJEKIFRYQsa8FW4mYH/A/FmVICFUCGbVOlx/0kLGGv
w9tVOQYVH3ctAjGRRw4zGJcUB+tAHp/39fDTlAeffonia/jMO+6dZK+OQBtWmSk6
VXQZD6Oad1yViBYgBEt3YjZAts3tz0Ga7MOCPufJkz1pa04AaKvJ7+yV4JwZZt8q
3UXeTIo4hUz3UQMooFTWHqXIf2EJVWPtq8ipxBR+7NhdQyaA8RDlQSEYyKNOvKIY
9L+PvGy5shJ/ndBdkMytGqAVxYT50P7572qWVPiHm1xiWHOG/RhF0qNC4iP7JxXi
csE5RMPfDQbWtm5lW3aOsCOseGzrZywvhxRoMvqywBZEoRLz1iMrHkKVcR7hfbk=
=hgsu
-----END PGP SIGNATURE-----