[Snort-users] [snort-user] rule unable to detect port specific DoS attack
ram.nath241089 at ...11827...
Tue Sep 3 11:18:12 EDT 2013
Hello Joel Sir,
attack is from command line and Command is
[root at ...16515...]# hping3 --rand-source <ip> -p 514 -S -L 0
from hping.org site,
It supports TCP, UDP, ICMP and RAW-IP protocols
so I am confused between it .
Please guide me where I am mistaken !
On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler at ...1935...> wrote:
> On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
> Hello All, I have used rule
> alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
> attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds
> metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
> which generates alert for at random ports which are not on my lists..fine
> But if I write port-specific it does not logging into alert file
> alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
> flood denial of service attempt";flow:to_server; detection_filter:track
> count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;
> sid:25101; rev:1;)
> what I done is as follows:
> I am attaching here the output of pcap file generated by wireshark.
> 1. I run snort in NIDS mode
> snort -c /etc/snort/snort.conf -l /var/log/snort
> 2. Then I start capture of packets on eth0 interface.
> 3. I perform DoS flood attack output of which generated I am
> attaching here
> Seeking for guidance,
> Please help,
> Is the traffic TCP or UDP?
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
Mayur* S. Patil,
ME COMP ENGG,
* * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users