3

As per the title, I'm attempting to configure Snort to detect and alert on a incoming Denial of Service attack.

Looking at the rulesets, which are primarily signature based rules, I can't see a logical way of looking for a flood of SYN ACK packets?

I've seen some of the examples from the following link, but they appear to be mostly anonmalay based examples (What approaches are to detect DoS attack in IDS/Firewall?) - I'm wondering if there's a rule available to detect such an attack.

Thanks!

Community
  • 1
Xaphia
  • 31
  • 1
  • 1
  • 2

1 Answers1

2

Web Application layer Firewall like Modsecurity and Application layer filter like snort ruleset are generally signature bases rule. These rulesets are very comprehensive and covers most of application layer attacks like XSS, SQL injection. Though these firewall have support to protect against DoS through session and user level counters but this is not generally recommended as it requires lot of computing.

For understanding of mitigation strategies against Application Layer Dos you can explore Mod_Evasive an apache module. There are five directives to be configured to protect against DoS from Blacklisted IPs.

  1. DOSPageInterval : Sets the minimum accessible interval between two requests to a page from the same IP.
  2. DOSSiteInterval : Sets a minimum accessible interval between two requests to a site from the same IP.
  3. DOSPageCount : Sets the limit for a number of too short requests to the same page
  4. DOSSiteCount : Sets the limit for a number of too short requests to the same site.
  5. DOSBlockingPeriod: How much time bad IP should be blocked.
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61