#After testing, I figured out that 1500 SYN packets per second would be an appropriate metric for determining SYN Flood.
alert tcp any any -> $HOME_NET any (flags:S; msg:"Possible SYN Flood
DoS"; flow:stateless; detection_filter:track by_dst, count 1500, seconds
1; classtype:attempted-dos; sid:1000890;)
No comments:
Post a Comment