[Snort-users] Unable to detect port-specific DoS attack

Mayur Patil ram.nath241089 at ...11827...
Mon Sep 2 14:09:43 EDT 2013


Hi to All,

    A/c to gregory and Wei Chea, I am attaching here the output of pcap
file generated by wireshark.

    Steps I followed are:

     1. I run snort in NIDS mode

         snort -c /etc/snort/snort.conf -l /var/log/snort

     2. Then I start capture of packets on eth0 interface.

     3. I perform DoS flood attack output of which generated I am attaching
here

         http://fpaste.org/36432/

     Seeking for guidance,

     Thanks!!

PS. I was unable to send earlier as my setup is in the college.*
--
*
*Cheers,
*
*Mayur*.



On Mon, Sep 2, 2013 at 1:40 PM, Mayur Patil <ram.nath241089 at ...11827...>wrote:

> Hi to All,
>
>     A/c to gregory and Wei Chea, I am attaching here the output of pcap
> file generated by wireshark.
>
>     Steps I followed are:
>
>      1. I run snort in NIDS mode
>
>          snort -c /etc/snort/snort.conf -l /var/log/snort
>
>      2. Then I start capture of packets on eth0 interface.
>
>      3. I perform DoS flood attack output of which generated I am
> attaching here
>
>          http://fpaste.org/36432/
>
>      Seeking for guidance,
>
>      Thanks!!
>
>
> PS. I was unable to send earlier as my setup is in the college.*
>
> --
> *
> *Cheers,
> *
> *Mayur*.
>
>
>
>
>
> On Thu, Aug 29, 2013 at 10:50 AM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
>
>> Hi Greg,
>>
>>   Please guide the location.
>>
>>   Does it /var/log/snort/alert because as per my little knowledge this is
>> the location which has generated result of snort rules.
>>
>>   Thanks !
>>
>>
>> On Thu, Aug 29, 2013 at 10:39 AM, Gregory W. MacPherson <
>> greg at ...15873...> wrote:
>>
>>> There seems to be a communication problem...
>>>
>>> First the files you listed are *not* 'pcap' files. they are various
>>> libraries and programs that are used *with* pcap files.
>>>
>>> A "pcap' file is a packet capture that is generated by a program that is
>>> able to place the network interface into 'promiscuous' mode and
>>> 'capture' the 'packets' that the interface receives. An example of a
>>> program that can 'generate' pcap files is wireshark (Google).
>>>
>>> What is being asked for is the output from such a program that can
>>> illustrate the network traffic that is being passed to/through your
>>> SNORT box.
>>>
>>> -- Greg
>>>
>>>
>>> On or about 2013.08.29 10:18:50 +0530, Mayur Patil (
>>> ram.nath241089 at ...11827...) said:
>>>
>>> > Hi,
>>> >
>>> >    I have found pcap files on this locations please suggest which one
>>> > should I send ??
>>> >
>>> >
>>> >
>>> /var/lib/yum/yumdb/l/a73becfaf9eee2c429b69b930bd4c5339d089942-libpcap-1.0.0-6.20091201git117cb5.el6-x86_64
>>> >   /usr/share/doc/libpcap-1.0.0
>>> >   /usr/share/doc/libpcap-1.0.0/pcap.txt
>>> >   /usr/share/man/man7/pcap-filter.7.gz
>>> >   /usr/share/man/man7/pcap-linktype.7.gz
>>> >   /usr/share/texmf/tex/latex/oberdiek/hypcap.sty
>>> >   /usr/share/texmf/tex/latex/ltxmisc/topcapt.sty
>>> >   /usr/lib64/libpcap.so.1.0.0
>>> >   /usr/lib64/libpcap.so.1
>>> >   /usr/lib64/gstreamer-0.10/libgstpcapparse.so
>>> >   /usr/sbin/getpcaps
>>> >   /selinux/class/capability/perms/setpcap
>>> >
>>> >   Seeking for guidance,
>>> >
>>> >    Thanks!
>>> >
>>> >
>>> >
>>> > --
>>> > *Cheers,
>>> > Mayur*
>>> >
>>> >
>>> > On Tue, Aug 27, 2013 at 6:51 PM, Wei Chea Ang <weichea at ...11827...>
>>> wrote:
>>> >
>>> > > Can you share the pcap?
>>> > > On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 at ...11827...>
>>> wrote:
>>> > >
>>> > >> Hi,
>>> > >>
>>> > >>   I have written rule
>>> > >>
>>> > >>  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of
>>> service
>>> > >>  attempt";flow:to_server; detection_filter:track by_dst, count 50,
>>> > >> seconds 1;
>>> > >>  metadata:service syslog; classtype:attempted-dos; sid:25101;
>>> rev:1;)
>>> > >>
>>> > >>
>>> > >>   which generates alert for at random ports which are not on my
>>> > >> lists..fine
>>> > >>
>>> > >>    But if I write port-specific it does not logging into alert file
>>> > >>    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514
>>> (msg:"DOS
>>> > >>   flood denial of service attempt";flow:to_server;
>>> detection_filter:track
>>> > >> by_dst,
>>> > >>   count 50, seconds 1; metadata:service syslog;
>>> classtype:attempted-dos;
>>> > >>   sid:25101; rev:1;)
>>> > >>
>>> > >>  what actually am I missing??
>>> > >>
>>> > >>  Please help
>>> > >>
>>> > >>  Thanks !
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>>
>>
>
>
> --
> *Yours Sincerely,
> Mayur* S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
>
> Contact :
> * * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
> <https://plus.google.com/u/0/107426396312814346345/about>
> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
> <http://stackoverflow.com/users/1528044/rammayur> *
> <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
>
>
>
>


-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130902/d613d3b5/attachment.html>


More information about the Snort-users mailing list