[Snort-users] [snort-user] rule unable to detect port specific DoS attack

Joel Esler jesler at ...1935...
Tue Sep 3 14:34:30 EDT 2013


Might be helpful to actually look at the traffic you are generating to see what it actually is.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 3, 2013, at 2:15 PM, Mayur Patil <ram.nath241089 at ...11827...> wrote:

> Hello Joel Sir,
> 
>    After googling I got that this attack TCP based.
>  
>   Seeking for guidance,
> 
>   Thanks!!
>   
> 
> 
> On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
> P.S. I forgot to add --flood within attack command.
> 
> 
> On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
> Hello Joel Sir,
> 
>      attack is from command line and Command is 
> 
>      [root at ...16515...]# hping3 --rand-source <ip> -p 514 -S -L 0
> 
>     from hping.org site,
> 
> It supports TCP, UDP, ICMP and RAW-IP protocols
>  
>    so I am confused between it .
> 
>     Please guide me where I am mistaken !
> 
> --
> Cheers,
> Mayur      
> 
> On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler at ...1935...> wrote:
> On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
> 
>> Hello All,  I have used rule 
>> 
>>  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service  
>>  attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; 
>>  metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
>> 
>> 
>>   which generates alert for at random ports which are not on my lists..fine
>> 
>>    But if I write port-specific it does not logging into alert file
>>    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS 
>>   flood denial of service attempt";flow:to_server; detection_filter:track by_dst,   
>>   count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;  
>>   sid:25101; rev:1;)
>> 
>> 
>>   what I done is as follows:
>>   
>>   I am attaching here the output of pcap file generated by wireshark.
>> 
>>      1. I run snort in NIDS mode
>>    
>>          snort -c /etc/snort/snort.conf -l /var/log/snort
>> 
>>      2. Then I start capture of packets on eth0 interface.
>> 
>>      3. I perform DoS flood attack output of which generated I am attaching here
>> 
>>          http://fpaste.org/36432/
>> 
>>      Seeking for guidance,
>>  
>>      Please help,
>> 
>>      Thanks!!
>> 
> 
> 
> Is the traffic TCP or UDP?
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> 
> 
> -- 
> Yours Sincerely,
> Mayur S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
> 
> Contact : 
>          
> 
> 
> 
> 
> 
> 
> -- 
> Yours Sincerely,
> Mayur S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
> 
> Contact : 
>          
> 
> 
> 
> 
> 
> 
> -- 
> Yours Sincerely,
> Mayur S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
> 
> Contact : 
>          
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130903/4d10853f/attachment.html>


More information about the Snort-users mailing list