[Oisf-users] Syn flood protection with Suricata

Aline Shir alineshir0 at gmail.com
Wed Feb 12 14:16:06 UTC 2014


My bad, i meant "rate_filter" and not "rate_limit".
I'll check if "rate_filter" is supported.

Thank you Victor


On Tue, Feb 11, 2014 at 3:25 PM, Victor Julien <lists at inliniac.net> wrote:

> On 02/11/2014 02:54 PM, Aline Shir wrote:
> > I'm looking for a way to block ip addresses performing syn flood on my
> > network.
> >
> > I've seen some exemple rules, like this one:
> > alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP
> > DoS"; flow: stateless; threshold: type both, track by_src, count 70,
> > seconds 10; sid:10001;rev:1;)
> >
> > The rule seems to trigger correctly. What i'm looking for, is something
> > like snort's rate_limit filter that blocks the source ip for n seconds
> > if it triggers the above rule x times.
>
> Have you tried using rate_limit? We support the keyword, so it should
> work like in Snort.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140212/d6af1524/attachment-0002.html>


More information about the Oisf-users mailing list