[Oisf-users] lots of UDP packet to small in fast.log
John Brown
john at citylinkfiber.com
Mon Nov 9 05:31:15 UTC 2015
Hi,
just installed Suricata and I'm noticing that it's logging
11/09/2015-05:25:14.685678 [**] [1:2200038:1] SURICATA UDP packet too
small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
-> 42.XX.XX.94:0
11/09/2015-05:25:14.694036 [**] [1:2200038:1] SURICATA UDP packet too
small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
-> 42.XX.XX.94:0
11/09/2015-05:25:15.249368 [**] [1:2200038:1] SURICATA UDP packet too
small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
-> 42.XX.XX.94:0
when I TCP dump these, the are DNS packets that are part of an
amplification attack.
1. How do I tune suricata to track these properly ?
2. Are there rules available that will alert on a DNS Amp attack?
Many thanks for help and pointers.
More information about the Oisf-users
mailing list