[Oisf-users] tracking source and destination port

Victor Julien lists at inliniac.net
Mon Jul 8 07:37:42 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/06/2013 02:25 AM, Cooper F. Nelson wrote:
> I have a question for the suricata developers.
> 
> Will the "ET SCAN behavioral" sigs still trigger if you are using
> the AF_PACKET 'worker' mode?  The issue is that the flows are going
> to be spread across multiple threads, so I'm wondering if the
> threshold tracking will still work.

Yeah. The 'state' for thresholding is global thus shared by all threads.

Cheers,
Victor

> 
> On 7/4/2013 11:16 AM, Cooper F. Nelson wrote:
>> On 7/4/2013 10:54 AM, Michael wrote:
>>>> 
>>>> The DDOS attacks you describe look like normal traffic flows;
>>>> so its hard to detect it automatically.
> 
>>> Do you think? I think it's very unusual that many different
>>> hosts uses the same source and destination port :)
> 
> 
>> Well, to a human that looks unusual.  To a router, IDS or server
>> they are just normal SYN packets.
> 
>>> alert tcp $EXTERNAL_NET $HOME_NET -> any any (msg:"LOCAL
>>> Potential DDOS, high volume SYN traffic"; flags: S,12;
>>> threshold: type both, track by_dst, count 1000, seconds 10;
> 
>> Thinking about this some more, if the DDOS was higher than any
>> observed prior peak traffic (as measured by new flows per second)
>> to a single host, the above rule should work.  In fact, it will
>> even work if the attacker uses random src/dst ports.  Its just up
>> to you to define what constitutes a DDOS attack.
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> 
OISF: http://www.openinfosecfoundation.org/
> 

- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHabEEACgkQiSMBBAuniMcdgACdGbe4N7yKctRhB+brPwvpqQXR
wCUAn3Dh8MHQHGkbf5tFBVL39IfbCc6x
=/iz/
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list