Reputation: 55
Reduce / Limit number of alerts occurring from Snort Rule Trigger (Syn Flood)
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood - SSH"; flags:S; flow: stateless; detection_filter: track by_dst, count 40, seconds 10; GID:1; sid:10000002; rev:001; classtype:attempted-dos;)
The problem is, when I trigger it using tcpreplay (With a Ddos.pcapng file):
sudo tcpreplay -i interface /home/Practicak/DDoS.pcapng
When listening on my VM1, and after running the TCP replay, I get a lot of alerts.. E.G. 100s of Syn Flood Detected alerts.
How can I limit this so that I only get few / 1 alert for each Syn Flood that is initiated? I.E. using the TCPReplay with the pcap file.. & is this good practice to display less alerts?
Thanks
Upvotes: 1
Views: 733
Answers (1)
Reputation: 86
@Liam, The creation of a threshold would be one answer. Ref: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html
Another would be to do aggregating in the primary data store in which your alert logging is feeding into, for example Elasticsearch or Splunk.
Upvotes: 1
Related Questions
- how to know if snort detects syn flood attacks since snort alert is not logging any thing
- Splunk: Throttling of alerts
- how to procees dos snort rule with captured packet
- Snort rule failing to alert to log
- Snort Rules Configuration Issue
- Read the alert log from snort
- Snort rule to detect http flood
- Rule for capturing SYN-scanning
- Snort rule doesn't generate alerts when hosts responding simultaneously
- How to block packets using snort?