Results 1 to 3 of 3
  1. #1
    Newbie
    Join Date
    Jul 2018
    Posts
    7

    Post How to drop(block) dos attack without drop the http port?

    i use this rule for detecting the DOS attack

    alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 70, seconds 10; sid:10001;rev:1

    but if activate the block for this rule, the http port is down, just like the action (drop) is block the http port to. of course the http port can't be access.

    my question, how or what rules to drop(block) DOS attack without block the http port?
    thank's.
    Last edited by Mokhamad Angga; 10-15-2018 at 09:21 AM.

  2. #2
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,118

    Default

    I'm no snort expert, but my understanding is that the threshold: settings pertain only to logging; i.e. you're telling it to only log once per 70 Syn packets per source to port 80, within 10 seconds. But the DROP action will drop every TCP Syn packet to port 80 (thus effectively closing the port).

    I think you need to use the detection_filter instead: http://manual-snort-org.s3-website-u...tection_filter
    Last edited by johnsonx42; 10-15-2018 at 10:19 AM.

  3. #3
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    658

    Default

    There is a variety of DOS and DOS-related detection rules already included. If the choices seem a little bewildering, perhaps start by focusing on the ones set by default to log.

    To find the rules, search for DOS.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2