Hi,
To explain the issue, please understand the scenario.
I have two machines:
- Ubuntu with Floodlight
- Kali Linux with mininet
I am using customized rule to detect the syn flood attack but it is not triggering. The rule is below:
alert tcp any any → $HOME_NET any (msg:“Possible SYN Flood Attack”; flow:stateless; flags:S; threshold: type both, track by_src, count 100, seconds 5; sid:1000001;)
But it is not triggering.
I am using Host h1 as TCP server using this command
iperf -s -p 3010 -i 1
And generating normal normal bandwidth from h2 to h1
iperf -c 10.0.0.1 -p 3010 -t 180
And using h3 to flood the TCP sync attack
hping3 -c 10000 -d 120 -S -w 64 -p 3010 --flood 10.0.0.1
I tested my suricata by using ICMP rule to check if suricata triggering. The other rules are triggering but TCP syn flood attack is not triggering.
alert icmp any any → any any (msg:“ICMP Ping detected”; sid:1000001;)
Can anyone please help and explain why TCP alert tules is not triggering?