[Snort-users] [snort-user] rule unable to detect port specific DoS attack

Mayur Patil ram.nath241089 at ...11827...
Tue Sep 3 19:51:51 EDT 2013


do u mean to say traffic generated by wireshark when eth0 start capturing ?


On Wed, Sep 4, 2013 at 12:04 AM, Joel Esler <jesler at ...1935...> wrote:

> Might be helpful to actually look at the traffic you are generating to see
> what it actually is.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Sep 3, 2013, at 2:15 PM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
>
> Hello Joel Sir,
>
>    After googling I got that this attack TCP based.
>
>   Seeking for guidance,
>
>   Thanks!!
>
>
>
> On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
>
>> P.S. I forgot to add --flood within attack command.
>>
>>
>> On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
>>
>>> Hello Joel Sir,
>>>
>>>      attack is from command line and Command is
>>>
>>>      [root at ...16515...]# hping3 --rand-source <ip> -p 514 -S -L 0
>>>
>>>     from hping.org site,
>>>
>>> It supports TCP, UDP, ICMP and RAW-IP protocols
>>>>
>>>
>>>    so I am confused between it .
>>>
>>>     Please guide me where I am mistaken !
>>> *
>>> --
>>> *
>>> *Cheers,
>>> *
>>> *Mayur*
>>>
>>> On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler at ...1935...>wrote:
>>>
>>>> On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 at ...11827...>
>>>> wrote:
>>>>
>>>> Hello All,  I have used rule
>>>>
>>>>  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
>>>>  attempt";flow:to_server; detection_filter:track by_dst, count 50,
>>>> seconds 1;
>>>>  metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
>>>>
>>>>
>>>>   which generates alert for at random ports which are not on my
>>>> lists..fine
>>>>
>>>>    But if I write port-specific it does not logging into alert file
>>>>    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
>>>>   flood denial of service attempt";flow:to_server;
>>>> detection_filter:track by_dst,
>>>>   count 50, seconds 1; metadata:service syslog;
>>>> classtype:attempted-dos;
>>>>   sid:25101; rev:1;)
>>>>
>>>>
>>>>   what I done is as follows:
>>>>
>>>>   I am attaching here the output of pcap file generated by wireshark.
>>>>
>>>>      1. I run snort in NIDS mode
>>>>
>>>>          snort -c /etc/snort/snort.conf -l /var/log/snort
>>>>
>>>>      2. Then I start capture of packets on eth0 interface.
>>>>
>>>>      3. I perform DoS flood attack output of which generated I am
>>>> attaching here
>>>>
>>>>          http://fpaste.org/36432/
>>>>
>>>>      Seeking for guidance,
>>>>
>>>>      Please help,
>>>>
>>>>      Thanks!!
>>>>
>>>>
>>>>
>>>> Is the traffic TCP or UDP?
>>>>
>>>> --
>>>> *Joel Esler*
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
>>>> Sourcefire
>>>>
>>>
>>>
>>>
>>> --
>>> *Yours Sincerely,
>>> Mayur* S. Patil,
>>> ME COMP ENGG,
>>> MITCOE,
>>> Pune.
>>>
>>> Contact :
>>> * * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
>>> <https://plus.google.com/u/0/107426396312814346345/about>
>>> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
>>> <http://stackoverflow.com/users/1528044/rammayur> *
>>> <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> *Yours Sincerely,
>> Mayur* S. Patil,
>> ME COMP ENGG,
>> MITCOE,
>> Pune.
>>
>> Contact :
>> * * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
>> <https://plus.google.com/u/0/107426396312814346345/about>
>> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
>> <http://stackoverflow.com/users/1528044/rammayur> *
>> <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
>>
>>
>>
>>
>
>
> --
> *Yours Sincerely,
> Mayur* S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
>
> Contact :
> * * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
> <https://plus.google.com/u/0/107426396312814346345/about>
> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
> <http://stackoverflow.com/users/1528044/rammayur> *
> <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
>
>
>
>
>


-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130904/a957ed3b/attachment.html>


More information about the Snort-users mailing list