[Oisf-users] Can I block DDos attack via Suricata-IDS?
Cooper F. Nelson
cnelson at ucsd.edu
Wed Feb 1 19:00:03 UTC 2017
I'm running these rules:
> alert udp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"LOCAL DOS UDP port 80 flood inbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:3;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"LOCAL DOS UDP port 80 flood outbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:4;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS SYN packet flood inbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS SYN packet flood outbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
When they trigger we investigate and take action as required.
Note that these sigs cause high load on a busy sensor. And somewhat
ironically, the "SYN flood" sigs will DOS suricata itself when
experiencing a SYN flood. This is ok for us, though, as we'll take
action to prevent the attack.
-Coop
On 2/1/2017 3:03 AM, Jason Long wrote:
> I need the user ideas and experiences.
> --------------------------------------------
> On Mon, 1/30/17, Jason Long <hack3rcon at yahoo.com> wrote:
>
> Subject: Can I block DDos attack via Suricata-IDS?
> To: "Oisf-users" <oisf-users at lists.openinfosecfoundation.org>
> Date: Monday, January 30, 2017, 3:58 AM
>
> Hello.Can I use Suricata-IDS for
> block DDos attacks?
> Thank you.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170201/a97cfa17/attachment-0002.sig>
More information about the Oisf-users
mailing list