[Snort-users] Detecting DDoS attacks with Snort
Ana Serrano Mamolar
B00315494 at ...17757...
Mon Jan 23 09:54:08 EST 2017
Thanks for your response Joel.
I have also installed PulledPork to have more updated rules, but still don't understand why I have to get an alert per packet in a DDoS attack.
For example, following your link, I randomly selected one rule with a DoS classtype that I copied bellow. If I use scapy to send 2000 packets that match the signature showed in this rule, Snort will trigger 2000 alerts. That's what I can not understand from the beginning. Why 2000 alerts. Shouldn't exist a kind of threshold to consider an attack or not, depending on the amount of packets received/sent?
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
From: Joel Esler (jesler) <jesler at ...589...>
Sent: 23 January 2017 14:41:07
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort
Those rules are six years old. I'd suggest getting a more up to date ruleset from Snort.org<http://Snort.org>.
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>
On Jan 23, 2017, at 5:25 AM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:
I am a beginner with Snort. For my research, I would like to use Snort to detect DDoS attacks.
So, what I have done is, first install Snort and download DDoS rules from here https://github.com/eldondev/Snort/blob/master/rules/ddos.rules.
Then, I tried to generate some traffic that match some of this rules to see if Snort triggered alerts. I started to use scapy and I managed to generate ICMP and UDP DoS attacks, but not TCP for the moment, and not Distributed, but just DoS. I am open also to new ideas about that issue of generating traffic to simulate my attacks ( also pcaps would be suitable).
My main worry, and the aim of this message, is that I am not sure to have understood well how Snort rules work. I don't understand why I am getting one alert per packet sent. So, if i send 2000 packets matching a rule I receive 2000 alerts. As far as I know, a DDoS attack attempt to overload systems, so one packet, is not a DoS attack.
So, does somebody know how I should do a real experiment? Maybe that rules are not good to detect an attack? Maybe I am not running Snort in the proper mode?
Thanks in advance
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users