[Snort-users] letdown, dos attempt not detecting

Y M snort at ...15979...
Tue Dec 11 12:56:08 EST 2012


Because this is a custom rule, it has to he manually added to the sid-msg.map file, for example:

1000024 || DOS syn attempt || url, <add the tool for reference>

Also add the the URL to your Snort rule (and revision number too :) ). If the alert is showing in BASE as Snort Alert [1:1000024:1], which stands for gid:sid:rev , then you will have to update the "signature" table in the database, barnyard2 documents the update statement to execute.

Thanks for the rule.

YM
________________________________
From: Leonardo Pezente<mailto:lmpezente at ...11827...>
Sent: ‎12/‎11/‎2012 8:41 PM
To: Russ Combs<mailto:rcombs at ...1935...>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] letdown, dos attempt not detecting

its really works, thanks. here is the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS syn attempt";
flags:S; flow:to_server; classtype:attempted-dos; detection_filter: track
by_src, count 1000, seconds 40; sid:1000024;)

the only think is: i cant see the msg on BASE GUI, and this is a really
interesting thing.
2012/12/11 Russ Combs <rcombs at ...1935...>

>
>
> On Tue, Dec 11, 2012 at 11:45 AM, Leonardo Pezente <lmpezente at ...11827...>wrote:
>
>> im testing snort attacking it with a tool called "letdown".it is a tcp
>> floder. The think is: im not able to detect what could be a potencial dos
>> attack.
>> Letdown generate like 65000 syn packets, so this should be detect fot
>> snort. I have uncomment the dos and ddos rules, but no deal. so im tring to
>> create a rule to detct this kind of traffic. Is that possible? any idea how
>> i can do that?
>>
>
> Check out Snort's README.filters.  There are rate_filter examples for
> 135:1 that you can start with.
>
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/cacf3ec0/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
-------------- next part --------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list