Detecting attacks in RFC3514-compliant traffic
Those of you who run RFC3514-compliant networks might be interested in this snort rule I wrote. It has an unusually good detection rate, with very low false positive and false negative rates. So far it's working well for me, so I thought I'd share it:
alert ip any any -> any any (msg:"RFC 3514 Attack Traffic Detected"; fragbits:R; classtype:misc-attack; sid:35140; rev:1;)
No comments:
Post a Comment