This rule would drop all SYN packets being sent to the server on port 80. Would it be better to do track by_src
so you oinly drop packets from the supposed SYN packet spammer?
A rule like this
alert tcp any any -> $HOME_NET any (msg:"HPING3"; ttl:64; flags:S; sid:1; rev:1;)
combined with a rate filter like this one
rate_filter gen_id 1, sig_id 1, track by_src, count 100, seconds 5, \
new_action drop, timeout 30
would drop all packets from any ip sending more than 100 syn packets in less than 5 seconds to any HOME_NET IP. The spamming IP would be unblocked after 30 seconds.
The downside to this approach is that the rule will flood your alert logs due to triggering on all SYN packets when not dropping.
I have not actually tested this and might have misunderstood Victor.