Reduce / Limit number of alerts occurring from Snort Rule Trigger (Syn Flood)Issue on Snort rules to track IRC servers activitieshow to know if snort detects syn flood attacks since snort alert is not logging any thingsnort 2.9.7.0 unable to load rule from local.conf while in test modeHow do I use a snort instance to protect a web serverSnort Rule : detect request abc.jsp and cookie value = nullhow to procees dos snort rule with captured packetSnort rule to detect a three-way handshakeUsing snort/suricata, I want to generate an SSH alert for every failed login to my Home NetworkHow to create a snort rule to detect a website?Creating TCP packets properly in Python
What (else) happened July 1st 1858 in London?
Why did the EU agree to delay the Brexit deadline?
A social experiment. What is the worst that can happen?
Engineer refusing to file/disclose patents
How do I extrude a face to a single vertex
Can I sign legal documents with a smiley face?
Is a model fitted to data or is data fitted to a model?
Is there a conventional notation or name for the slip angle?
Query about absorption line spectra
How will losing mobility of one hand affect my career as a programmer?
We have a love-hate relationship
Some numbers are more equivalent than others
Did US corporations pay demonstrators in the German demonstrations against article 13?
How do you respond to a colleague from another team when they're wrongly expecting that you'll help them?
Drawing ramified coverings with tikz
How should I respond when I lied about my education and the company finds out through background check?
Should I stop contributing to retirement accounts?
Drawing a topological "handle" with Tikz
Have I saved too much for retirement so far?
How to color a curve
Reply 'no position' while the job posting is still there
My friend sent me a screenshot of a transaction hash, but when I search for it I find divergent data. What happened?
Could solar power be utilized and substitute coal in the 19th Century
Proof of Lemma: Every nonzero integer can be written as a product of primes
Reduce / Limit number of alerts occurring from Snort Rule Trigger (Syn Flood)
Issue on Snort rules to track IRC servers activitieshow to know if snort detects syn flood attacks since snort alert is not logging any thingsnort 2.9.7.0 unable to load rule from local.conf while in test modeHow do I use a snort instance to protect a web serverSnort Rule : detect request abc.jsp and cookie value = nullhow to procees dos snort rule with captured packetSnort rule to detect a three-way handshakeUsing snort/suricata, I want to generate an SSH alert for every failed login to my Home NetworkHow to create a snort rule to detect a website?Creating TCP packets properly in Python
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood - SSH"; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; rev:001; classtype:attempted-dos;)
The problem is, when I trigger it using tcpreplay (With a Ddos.pcapng file):
sudo tcpreplay -i interface /home/Practicak/DDoS.pcapng
When listening on my VM1, and after running the TCP replay, I get a lot of alerts.. E.G. 100s of Syn Flood Detected alerts.
How can I limit this so that I only get few / 1 alert for each Syn Flood that is initiated? I.E. using the TCPReplay with the pcap file.. & is this good practice to display less alerts?
Thanks
snort denial-of-service intrusion-detection
edited Mar 7 at 11:14
Bernhard Eriksson
1469
asked Mar 7 at 9:00
LiamLiam
206
add a comment |
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood - SSH"; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; rev:001; classtype:attempted-dos;)
The problem is, when I trigger it using tcpreplay (With a Ddos.pcapng file):
sudo tcpreplay -i interface /home/Practicak/DDoS.pcapng
When listening on my VM1, and after running the TCP replay, I get a lot of alerts.. E.G. 100s of Syn Flood Detected alerts.
How can I limit this so that I only get few / 1 alert for each Syn Flood that is initiated? I.E. using the TCPReplay with the pcap file.. & is this good practice to display less alerts?
Thanks
snort denial-of-service intrusion-detection
edited Mar 7 at 11:14
Bernhard Eriksson
1469
asked Mar 7 at 9:00
LiamLiam
206
add a comment |
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood - SSH"; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; rev:001; classtype:attempted-dos;)
The problem is, when I trigger it using tcpreplay (With a Ddos.pcapng file):
sudo tcpreplay -i interface /home/Practicak/DDoS.pcapng
When listening on my VM1, and after running the TCP replay, I get a lot of alerts.. E.G. 100s of Syn Flood Detected alerts.
How can I limit this so that I only get few / 1 alert for each Syn Flood that is initiated? I.E. using the TCPReplay with the pcap file.. & is this good practice to display less alerts?
Thanks
snort denial-of-service intrusion-detection
edited Mar 7 at 11:14
Bernhard Eriksson
1469
asked Mar 7 at 9:00
LiamLiam
206
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood - SSH"; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; rev:001; classtype:attempted-dos;)
The problem is, when I trigger it using tcpreplay (With a Ddos.pcapng file):
sudo tcpreplay -i interface /home/Practicak/DDoS.pcapng
When listening on my VM1, and after running the TCP replay, I get a lot of alerts.. E.G. 100s of Syn Flood Detected alerts.
How can I limit this so that I only get few / 1 alert for each Syn Flood that is initiated? I.E. using the TCPReplay with the pcap file.. & is this good practice to display less alerts?
Thanks
snort denial-of-service intrusion-detection
snort denial-of-service intrusion-detection
edited Mar 7 at 11:14
Bernhard Eriksson
1469
asked Mar 7 at 9:00
LiamLiam
206
edited Mar 7 at 11:14
Bernhard Eriksson
1469
asked Mar 7 at 9:00
LiamLiam
206
edited Mar 7 at 11:14
Bernhard Eriksson
1469
edited Mar 7 at 11:14
Bernhard Eriksson
1469
edited Mar 7 at 11:14
Bernhard Eriksson
1469
1469
asked Mar 7 at 9:00
LiamLiam
206
asked Mar 7 at 9:00
LiamLiam
206
asked Mar 7 at 9:00
LiamLiam
206
206
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55039760%2freduce-limit-number-of-alerts-occurring-from-snort-rule-trigger-syn-flood%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55039760%2freduce-limit-number-of-alerts-occurring-from-snort-rule-trigger-syn-flood%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
