Snort mailing list archives

Previous By Date Next
Previous By Thread Next

re: ICMP flood detection?

From: rottz () securityflaw com
Date: Mon, 20 Aug 2001 09:10:05 -0500
How about a ICMP preprocessor that detects ICMP floods? Like sets a
threshold, so when it detects 3 ICMP packets in 30 seconds it sends an
alert "ICMP FLOOD DETECTED" then maybe you could use snortsam to deny
the ICMP packets at the firewall. This would come in handy for DOS
attacks and DDOS attacks. It could count the ICMP packets and count all
source IPs(DDos) and output in a nice little summary.
Anyone up for the challenge? My C skills aren't strong enough.


Ofir Arkin wrote:

I have compiled a little change request to Snort here. The main goal is
to have a better "presentation" layer for the ICMP protocol and to add
several options to several rule option values.



Peter
-- 
rottz at securityflaw dot com
Founder of Securityflaw

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: