I have a Snort rules for preventing DoS attack on SDN. Here it is :

alert tcp any any -> any any (sid: 2; msg: "TCP SYN packet flooding (simple or distributed) attempt"; threshold: type both, track by_dst, count 10000, seconds 60; flow:stateless; flags:S,12; rev:1 )

And the command for attacking is :

attacker hping3 –c 100 –d 120 -S -w 64 -p 53 -flood victim

I have tried to attack by running the command above and it generates 1 alert on snort log everytime i run that. But i got confused about the meaning of the rules above. Can anyone tell me how that rules above actually work ? Especially on "count 10000, seconds 60" part. How does it work to prevent the attack ? Thanks before (Sorry for my bad grammar)

i believe that if snort sees 10.000 syn packets in 60 seconds that rule is triggered.

that looks for syns.

But my attack command is: attacker hping3 –c 100 –d 120 -S -w 64 -p 53 -flood victim
which means that i send 100 packets Syn.
So, why the rule also triggered (alerting on snort) while i was just attacking once (100 packets syn only)

It might be that snort is seeing 10000 per 60 seconds, or 1000/second, or 100/0.1s.