[Snort-users] Unable to detect port-specific DoS attack

Mayur Patil ram.nath241089 at ...11827...
Mon Sep 2 04:10:48 EDT 2013


Hi to All,

    A/c to gregory and Wei Chea, I am attaching here the output of pcap
file generated by wireshark.

    Steps I followed are:

     1. I run snort in NIDS mode

         snort -c /etc/snort/snort.conf -l /var/log/snort

     2. Then I start capture of packets on eth0 interface.

     3. I perform DoS flood attack output of which generated I am attaching
here

         http://fpaste.org/36432/

     Seeking for guidance,

     Thanks!!

PS. I was unable to send earlier as my setup is in the college.*

--
*
*Cheers,
*
*Mayur*.





On Thu, Aug 29, 2013 at 10:50 AM, Mayur Patil <ram.nath241089 at ...11827...>wrote:

> Hi Greg,
>
>   Please guide the location.
>
>   Does it /var/log/snort/alert because as per my little knowledge this is
> the location which has generated result of snort rules.
>
>   Thanks !
>
>
> On Thu, Aug 29, 2013 at 10:39 AM, Gregory W. MacPherson <
> greg at ...15873...> wrote:
>
>> There seems to be a communication problem...
>>
>> First the files you listed are *not* 'pcap' files. they are various
>> libraries and programs that are used *with* pcap files.
>>
>> A "pcap' file is a packet capture that is generated by a program that is
>> able to place the network interface into 'promiscuous' mode and
>> 'capture' the 'packets' that the interface receives. An example of a
>> program that can 'generate' pcap files is wireshark (Google).
>>
>> What is being asked for is the output from such a program that can
>> illustrate the network traffic that is being passed to/through your
>> SNORT box.
>>
>> -- Greg
>>
>>
>> On or about 2013.08.29 10:18:50 +0530, Mayur Patil (
>> ram.nath241089 at ...11827...) said:
>>
>> > Hi,
>> >
>> >    I have found pcap files on this locations please suggest which one
>> > should I send ??
>> >
>> >
>> >
>> /var/lib/yum/yumdb/l/a73becfaf9eee2c429b69b930bd4c5339d089942-libpcap-1.0.0-6.20091201git117cb5.el6-x86_64
>> >   /usr/share/doc/libpcap-1.0.0
>> >   /usr/share/doc/libpcap-1.0.0/pcap.txt
>> >   /usr/share/man/man7/pcap-filter.7.gz
>> >   /usr/share/man/man7/pcap-linktype.7.gz
>> >   /usr/share/texmf/tex/latex/oberdiek/hypcap.sty
>> >   /usr/share/texmf/tex/latex/ltxmisc/topcapt.sty
>> >   /usr/lib64/libpcap.so.1.0.0
>> >   /usr/lib64/libpcap.so.1
>> >   /usr/lib64/gstreamer-0.10/libgstpcapparse.so
>> >   /usr/sbin/getpcaps
>> >   /selinux/class/capability/perms/setpcap
>> >
>> >   Seeking for guidance,
>> >
>> >    Thanks!
>> >
>> >
>> >
>> > --
>> > *Cheers,
>> > Mayur*
>> >
>> >
>> > On Tue, Aug 27, 2013 at 6:51 PM, Wei Chea Ang <weichea at ...11827...>
>> wrote:
>> >
>> > > Can you share the pcap?
>> > > On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 at ...11827...>
>> wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >>   I have written rule
>> > >>
>> > >>  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
>> > >>  attempt";flow:to_server; detection_filter:track by_dst, count 50,
>> > >> seconds 1;
>> > >>  metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
>> > >>
>> > >>
>> > >>   which generates alert for at random ports which are not on my
>> > >> lists..fine
>> > >>
>> > >>    But if I write port-specific it does not logging into alert file
>> > >>    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514
>> (msg:"DOS
>> > >>   flood denial of service attempt";flow:to_server;
>> detection_filter:track
>> > >> by_dst,
>> > >>   count 50, seconds 1; metadata:service syslog;
>> classtype:attempted-dos;
>> > >>   sid:25101; rev:1;)
>> > >>
>> > >>  what actually am I missing??
>> > >>
>> > >>  Please help
>> > >>
>> > >>  Thanks !
>> > >>
>> > >>
>> > >>
>> > >>
>>
>


-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130902/3cb76333/attachment.html>


More information about the Snort-users mailing list