[Snort-users] letdown, dos attempt not detecting

Leonardo Pezente lmpezente at ...11827...
Tue Dec 11 13:28:39 EST 2012


thanks a lot again, its has worked.

2012/12/11 Y M <snort at ...15979...>

> Corrections below.
>
> ------------------------------
> To: lmpezente at ...11827...; rcombs at ...1935...
> From: snort at ...15979...
> Date: Tue, 11 Dec 2012 20:56:08 +0300
> CC: snort-users at lists.sourceforge.net
>
> Subject: Re: [Snort-users] letdown, dos attempt not detecting
>
>  Because this is a custom rule, it has to be manually added at least for
> now to the sid-msg.map file, for example:
>
> 1000024 || DOS syn attempt || url, <add the tool url for reference>
>
>
> Also add the the URL to your Snort rule (and revision number too :) ). If
> the alert is showing in BASE as Snort Alert [1:1000024:1], which stands for
> gid:sid:rev , then you will have to update the "signature" table in the
> database, barnyard2 documents the update statement to execute.
>
> Then you can add the tool to the local.rules file, and tell PulledPork if
> are using it to process local rules as part of its processing.
>
>
> Thanks for the rule.
>
> YM
>  ------------------------------
> From: Leonardo Pezente <lmpezente at ...11827...>
> Sent: 12/11/2012 8:41 PM
> To: Russ Combs <rcombs at ...1935...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] letdown, dos attempt not detecting
>
>  its really works, thanks. here is the rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS syn attempt";
> flags:S; flow:to_server; classtype:attempted-dos; detection_filter: track
> by_src, count 1000, seconds 40; sid:1000024;)
>
>  the only think is: i cant see the msg on BASE GUI, and this is a really
> interesting thing.
> 2012/12/11 Russ Combs <rcombs at ...1935...>
>
>
>
>  On Tue, Dec 11, 2012 at 11:45 AM, Leonardo Pezente <lmpezente at ...11827...>wrote:
>
> im testing snort attacking it with a tool called "letdown".it is a tcp
> floder. The think is: im not able to detect what could be a potencial dos
> attack.
> Letdown generate like 65000 syn packets, so this should be detect fot
> snort. I have uncomment the dos and ddos rules, but no deal. so im tring to
> create a rule to detct this kind of traffic. Is that possible? any idea how
> i can do that?
>
>
>  Check out Snort's README.filters.  There are rate_filter examples for
> 135:1 that you can start with.
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support Improve
> your efficiency, and focus on delivering more value-add services Discover
> what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support Improve
> your efficiency, and focus on delivering more value-add services Discover
> what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/bbf23007/attachment.html>


More information about the Snort-users mailing list