[Oisf-users] Syn flood protection with Suricata

Victor Julien lists at inliniac.net
Tue Feb 11 14:25:01 UTC 2014

On 02/11/2014 02:54 PM, Aline Shir wrote:
> I'm looking for a way to block ip addresses performing syn flood on my
> network.
> I've seen some exemple rules, like this one:
> alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP
> DoS"; flow: stateless; threshold: type both, track by_src, count 70,
> seconds 10; sid:10001;rev:1;)
> The rule seems to trigger correctly. What i'm looking for, is something
> like snort's rate_limit filter that blocks the source ip for n seconds
> if it triggers the above rule x times.

Have you tried using rate_limit? We support the keyword, so it should
work like in Snort.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list