Rising from the rubble caused by the exhaustive POP3 DoS attacks i've been suffering from, and deciding to use this small window of time to patch my server up, i decided to activate antidos, which was a relatively speaking an easy job, but i understood that it required Snort since it scans it's portscan.log file.

Snort wasn't on the server so i had to install it, which was not a big deal, then i found that Snort can be setup in 1000001 ways, and I'm really not sure how it should be setup for AntiDos to make use of it.

Any help or advice would be greatly appreciated, especially if it comes before my next battle with DoS

Tks,
MC

What types of DoS attack? There are ways to fight it on the application configuration level that you might be able to try.

Also, if you are under a DoS attack, but the Cisco Guard system hasn't picked it up, I think you can request that they manually put filtering on your IP.

POP3 mainly (Port 110) .

It seems that AntiDos and BFD are taking care of most of the attacks and automatically blocking the offendign IP. The funny part is that sometimes BFD and AntiDOS alert emails contain only 3-4 lines it suspects as an attack and base the blocking accordingly. I'm sure i left the default config values (25 lines, 15 matches, ...etc) .

The blocked IP list is growing. I'm also not sure if apf will ever unblock the IPs automatically.

The main reason for my post; AntiDoS scans /var/log/porstscan.log, which apparently Snort uses for logging. There seems to be more than one way to run snort, i'm just not sure what's best compatible with AntiDoS.

Tks,
MC

So it's actually a DDOS then?

If you carefully read through the APF related docs, you'll find that Snort is not actually necessary, as AntiDOS can parse the APF logs as well. But since you apparently already have it setup, I suppose that you might as well use it.

No, APF won't ever unblock any IPs automatically... you'll have to remove them manually once the DDOS has stopped.

The list of blocked IPs have grown which possibly resulted in a performance issue on the server, so i had to clear the lists completely.

The issue here is that from the automated emails i receive from AntiDos or BFD, i'm noticing that blockage takes place even if the number of requests detected is less than the threshold i defined in the config files.

I think Snort is currently doing nothing, so i'm going to stop it from running as the config/installation doesn't look right, as per my comments above.

Tks.

Snot is acucly a verry useful tool the tool usability with antidos for apf is for nmap Floods becouse snort detects port scans.