[Snort-users] [snort-user] rule unable to detect port specific DoS attack

Mayur Patil ram.nath241089 at ...11827...
Tue Sep 3 11:18:12 EDT 2013


Hello Joel Sir,

     attack is from command line and Command is

     [root at ...16515...]# hping3 --rand-source <ip> -p 514 -S -L 0

    from hping.org site,

It supports TCP, UDP, ICMP and RAW-IP protocols
>

   so I am confused between it .

    Please guide me where I am mistaken !
*
--
*
*Cheers,
*
*Mayur*

On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler at ...1935...> wrote:

> On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
>
> Hello All,  I have used rule
>
>  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
>  attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds
> 1;
>  metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
>
>
>   which generates alert for at random ports which are not on my lists..fine
>
>    But if I write port-specific it does not logging into alert file
>    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
>   flood denial of service attempt";flow:to_server; detection_filter:track
> by_dst,
>   count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;
>   sid:25101; rev:1;)
>
>
>   what I done is as follows:
>
>   I am attaching here the output of pcap file generated by wireshark.
>
>      1. I run snort in NIDS mode
>
>          snort -c /etc/snort/snort.conf -l /var/log/snort
>
>      2. Then I start capture of packets on eth0 interface.
>
>      3. I perform DoS flood attack output of which generated I am
> attaching here
>
>          http://fpaste.org/36432/
>
>      Seeking for guidance,
>
>      Please help,
>
>      Thanks!!
>
>
>
> Is the traffic TCP or UDP?
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>



-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130903/064c255a/attachment.html>


More information about the Snort-users mailing list