Can someone provide me rules to detect following attack :
hping3 -S -p 80 --flood --rand-source [target]
I'm having problem with rules since packet comes from random source.
My current rules is :
alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 70, seconds 10; sid:10001;rev:1;)
this rules only can detect from one source ip only.
Use "by_dst" to track by destination instead of "by_src" if you are worried about distributed attacks.
Edit:
if i used "by_dst" normal request will also be counted in this rule, which this should not be case.
... that is why snort is no substitute for actively administering your server - a DDoS looks a lot like being popular on Digg at the network level (in either case, you'll want an alert when your server is unable to service requests rather than alerts on how many connections are being made).
This How to detect a DDoS attack? thread at Webmaster World might be a better place to start if you're more focused on identifying DDoS attacks than configuring snort.
