[Snort-users] letdown, dos attempt not detecting

Jeremy Hoel jthoel at ...11827...
Tue Dec 11 12:59:33 EST 2012


What do you have snort's output set too?
Have you checked the mysql tables directly?
Does barnyard give any errors (and is it running?)?

On Tue, Dec 11, 2012 at 5:40 PM, Leonardo Pezente <lmpezente at ...11827...> wrote:
> its really works, thanks. here is the rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS syn attempt";
> flags:S; flow:to_server; classtype:attempted-dos; detection_filter: track
> by_src, count 1000, seconds 40; sid:1000024;)
>
> the only think is: i cant see the msg on BASE GUI, and this is a really
> interesting thing.
>
> 2012/12/11 Russ Combs <rcombs at ...1935...>
>>
>>
>>
>> On Tue, Dec 11, 2012 at 11:45 AM, Leonardo Pezente <lmpezente at ...11827...>
>> wrote:
>>>
>>> im testing snort attacking it with a tool called "letdown".it is a tcp
>>> floder. The think is: im not able to detect what could be a potencial dos
>>> attack.
>>> Letdown generate like 65000 syn packets, so this should be detect fot
>>> snort. I have uncomment the dos and ddos rules, but no deal. so im tring to
>>> create a rule to detct this kind of traffic. Is that possible? any idea how
>>> i can do that?
>>
>>
>> Check out Snort's README.filters.  There are rate_filter examples for
>> 135:1 that you can start with.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list