[Snort-users] [snort-user] rule unable to detect port specific DoS attack

Joel Esler jesler at ...1935...
Tue Sep 3 11:11:35 EDT 2013


On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 at ...11827...> wrote:

> Hello All,  I have used rule 
> 
>  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service  
>  attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; 
>  metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
> 
> 
>   which generates alert for at random ports which are not on my lists..fine
> 
>    But if I write port-specific it does not logging into alert file
>    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS 
>   flood denial of service attempt";flow:to_server; detection_filter:track by_dst,   
>   count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;  
>   sid:25101; rev:1;)
> 
> 
>   what I done is as follows:
>   
>   I am attaching here the output of pcap file generated by wireshark.
> 
>      1. I run snort in NIDS mode
>    
>          snort -c /etc/snort/snort.conf -l /var/log/snort
> 
>      2. Then I start capture of packets on eth0 interface.
> 
>      3. I perform DoS flood attack output of which generated I am attaching here
> 
>          http://fpaste.org/36432/
> 
>      Seeking for guidance,
>  
>      Please help,
> 
>      Thanks!!
> 


Is the traffic TCP or UDP?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130903/cf165bb9/attachment.html>


More information about the Snort-users mailing list