7Mar
Snort rule for syn flood attacks – Limiting number of alerts
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood - SSH"; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; rev:001; classtype:attempted-dos;)
The problem is, when I trigger it using tcpreplay on vm2 (With a Ddos.pcapng file):
sudo tcpreplay -i interface /home/Practicak/DDoS.pcapng
When listening on my VM1, I get a lot of alerts when listening with the snort rule active. E.G. 100s of Syn Flood Detected alerts.
How can I limit this so that I only get few / 1 alert for each Syn Flood that is initiated? I.E. using the TCPReplay with the pcap file.. & is this good practice to display less alerts?
Thanks