[Emerging-Sigs] SSDP DoS sig

Darien Huss dhuss at emergingthreats.net
Thu Sep 4 15:19:31 EDT 2014


Cool, thanks Jake, we'll get that into QA!

Regards,
Darien


On Thu, Sep 4, 2014 at 3:11 PM, Jake Warren <jake.warren at masergy.com> wrote:

> As a supplement to 2019102, this should detect an inbound SSDP DoS attack:
>
> alert udp $EXTERNAL_NET 1900 -> $HOME_NET any (msg:"Possible SSDP DRDoS";
> dsize:>100; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"ST|3a
> 20|"; nocase; distance:0; threshold: type both,track by_src,count
> 50,seconds 5; classtype:attempted-dos; sid:xxxx; rev:1;)
>
> The threshold likely needs to be tweaked, could change it to track by_dst
> depending on how you want to be alerted.
>
>
> *Jake Warren * *Level 2 Sr. Network Security Analyst*
> www.masergy.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140904/82d0c787/attachment.html>


More information about the Emerging-sigs mailing list