[Snort-users] [snort-user] rule unable to detect port specific DoS attack

Mayur Patil ram.nath241089 at ...11827...
Tue Sep 3 01:44:40 EDT 2013


Hello All,  I have used rule

 alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
 attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds
1;
 metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)


  which generates alert for at random ports which are not on my lists..fine

   But if I write port-specific it does not logging into alert file
   alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
  flood denial of service attempt";flow:to_server; detection_filter:track
by_dst,
  count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;
  sid:25101; rev:1;)


  what I done is as follows:

  I am attaching here the output of pcap file generated by wireshark.

     1. I run snort in NIDS mode

         snort -c /etc/snort/snort.conf -l /var/log/snort

     2. Then I start capture of packets on eth0 interface.

     3. I perform DoS flood attack output of which generated I am attaching
here

         http://fpaste.org/36432/

     Seeking for guidance,

     Please help,

     Thanks!!


-- 
*Cheers,
Mayur*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130903/64da58c0/attachment.html>


More information about the Snort-users mailing list