[Oisf-users] Question about the Detection posibilities
Cooper F. Nelson
cnelson at ucsd.edu
Tue Mar 31 17:09:54 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/30/2015 7:15 PM, Gary Faulkner wrote:
> I'm wondering if a slight variation on those sigs to 'track by_src'
> would detect potential scans/DOS where there is 1 source and multiple
> targets? Also I'm wondering if it is at all desirable to change the
> flags section based on RFC 3168 or if it has no practical effect on the
> rule?
That's how the original sigs to detect scans are written. My sigs are
looking for SYN floods to a single host, so its 'track by_dst'.
Btw, my sigs may have a large performance hit, so keep that in mind
before running them.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVGtThAAoJEKIFRYQsa8FWsmwH/1mp06Diej/1p0cW3Zuhey2+
p+49mXwC40jyGtUxHigRscUOdghSRJk2oKXwG2sqVj0cSeBvNUztJ2BwHD+9Mqso
NnMnL29+nafKTls1fUQkihiDenF5a0j1TgnfKH+IfnTjk8+O70FD9OfRMs+Rwzdm
PLqJee+WvcOAz4dZALybRhERcSXVx3HumAEMXtSvNvYo58HaqAv6jlwCvXTYVcEN
1/+1QpmLQdzabLjz3i6yqzayLEJKlIVzGSlwYPO1TlrGz3hZMpysilKFpf4n5qaw
o5xok5UanLHRy2AD/s/GtCuWcYgR0zm3DtZeRcwxYsBYyJFxuXuKr0vZBk46G4E=
=dOmg
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list