Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] TCP/UDP "trivial" ports?
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 23 Apr 2013 14:29:26 -0500

UDP sig with threshold might be interesting... Will be expensive though.
What do yo guy's think?



On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <scastle () bouldercounty org>wrote:

I see that using the chargen port for DDoS is happening:

Now, I block all these both ways at my firewall (actually, on the outside,
I think they are in a router ACL), but looking through the complete set of
rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271)
that seems to address this port range of the TCP and UDP "trivial" (AKA
"simple") ports. Has there ever been one? Should we have one?

Shane Castle
Data Security Mgr, Boulder County IT

Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net

Support Emerging Threats! Subscribe to Emerging Threats Pro
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]