[Emerging-Sigs] SSDP DoS sig

Jake Warren jake.warren at masergy.com
Thu Sep 4 15:11:01 EDT 2014

As a supplement to 2019102, this should detect an inbound SSDP DoS attack:

alert udp $EXTERNAL_NET 1900 -> $HOME_NET any (msg:"Possible SSDP DRDoS";
dsize:>100; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"ST|3a
20|"; nocase; distance:0; threshold: type both,track by_src,count
50,seconds 5; classtype:attempted-dos; sid:xxxx; rev:1;)

The threshold likely needs to be tweaked, could change it to track by_dst
depending on how you want to be alerted.

*Jake Warren * *Level 2 Sr. Network Security Analyst*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140904/bb7c078b/attachment.html>

More information about the Emerging-sigs mailing list