[Oisf-users] Syn flood protection with Suricata

Aline Shir alineshir0 at gmail.com
Tue Feb 11 13:54:50 UTC 2014


hi guys,

I'm looking for a way to block ip addresses performing syn flood on my
network.

I've seen some exemple rules, like this one:
alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS";
flow: stateless; threshold: type both, track by_src, count 70, seconds 10;
sid:10001;rev:1;)

The rule seems to trigger correctly. What i'm looking for, is something
like snort's rate_limit filter that blocks the source ip for n seconds if
it triggers the above rule x times.

If you have any idea on how to do it i'll be gratefull.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140211/f1477156/attachment.html>


More information about the Oisf-users mailing list