Snort rule for syn flood attacks – Limiting number of alerts
So I have a snort rule that detects syn flood attacks that looks like this:
alert tcp any any -> $HOME_NET 80 (msg:”SYN Flood – SSH”; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; …