[Oisf-users] Syn flood protection with Suricata
Aline Shir
alineshir0 at gmail.com
Tue Feb 11 13:54:50 UTC 2014
hi guys,
I'm looking for a way to block ip addresses performing syn flood on my
network.
I've seen some exemple rules, like this one:
alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS";
flow: stateless; threshold: type both, track by_src, count 70, seconds 10;
sid:10001;rev:1;)
The rule seems to trigger correctly. What i'm looking for, is something
like snort's rate_limit filter that blocks the source ip for n seconds if
it triggers the above rule x times.
If you have any idea on how to do it i'll be gratefull.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140211/f1477156/attachment.html>
More information about the Oisf-users
mailing list