[Snort-users] Detecting DDoS attacks with Snort

Ana Serrano Mamolar B00315494 at ...17757...
Mon Jan 23 05:25:57 EST 2017

Hi everyone,,
I am a beginner with Snort. For my research, I would like to use Snort to detect DDoS attacks.
So, what I have done is, first install Snort and download DDoS rules from here https://github.com/eldondev/Snort/blob/master/rules/ddos.rules.
Then, I tried to generate some traffic that match some of this rules to see if Snort triggered alerts. I started to use scapy and I managed to generate ICMP and UDP DoS attacks, but not TCP for the moment, and not Distributed, but just DoS. I am open also to new ideas about that issue of generating traffic to simulate my attacks ( also pcaps would be suitable).

My main worry, and the aim of this message, is that I am not sure to have understood well how Snort rules work. I don't understand why I am getting one alert per packet sent. So, if i send 2000 packets matching a rule I receive 2000 alerts. As far as I know, a DDoS attack attempt to overload systems, so one packet, is not a DoS attack.

So, does somebody know how I should do a real experiment? Maybe that rules are not good to detect an attack? Maybe I am not running Snort in the proper mode?

Thanks in advance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170123/55c60d40/attachment.html>

More information about the Snort-users mailing list