[Snort-users] Detecting DDoS attacks with Snort

Ana Serrano Mamolar B00315494 at ...17757...
Mon Jan 23 10:31:56 EST 2017

I have read about that and have even add some thresholds in some rules to understand them better while generating traffic. However, when I download rules I supposed that they were trying to alert from known attacks, so it should even have a well configured threshold.
If they don't have it and you have to do it by yourself these rules are not useful, are they?. Maybe I'm wrong from the beginning, but it doesn't make sense for me to have to configure a threshold for thousand of rules downloaded, one by one. Even more, when I don't know the attacks and don't have any criteria to configure its threshold.
That's why I suspected that there was something that I was misunderstanding, since I don't believe that uploaded rules were incomplete.

From: Joel Esler (jesler) <jesler at ...589...>
Sent: 23 January 2017 15:20:56
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

You can enable your own thresholds in the threshold.conf.

Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>

On Jan 23, 2017, at 9:54 AM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:

Thanks for your response Joel.
I have also installed PulledPork to have more updated rules, but still don't understand why I have to get an alert per packet in a DDoS attack.
For example, following your link, I randomly selected one rule with a DoS classtype that I copied bellow. If I use scapy to send 2000 packets that  match the signature showed in this rule, Snort will trigger 2000 alerts. That's what I can not understand from the beginning. Why 2000 alerts. Shouldn't exist a kind of threshold to consider an attack or not, depending on the amount of packets received/sent?

# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
From: Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>>
Sent: 23 January 2017 14:41:07
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

Those rules are six years old.  I’d suggest getting a more up to date ruleset from Snort.org<http://snort.org/>.

Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>

On Jan 23, 2017, at 5:25 AM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:

Hi everyone,,
I am a beginner with Snort. For my research, I would like to use Snort to detect DDoS attacks.
So, what I have done is, first install Snort and download DDoS rules from here https://github.com/eldondev/Snort/blob/master/rules/ddos.rules.
Then, I tried to generate some traffic that match some of this rules to see if Snort triggered alerts. I started to use scapy and I managed to generate ICMP and UDP DoS attacks, but not TCP for the moment, and not Distributed, but just DoS. I am open also to new ideas about that issue of generating traffic to simulate my attacks ( also pcaps would be suitable).

My main worry, and the aim of this message, is that I am not sure to have understood well how Snort rules work. I don't understand why I am getting one alert per packet sent. So, if i send 2000 packets matching a rule I receive 2000 alerts. As far as I know, a DDoS attack attempt to overload systems, so one packet, is not a DoS attack.

So, does somebody know how I should do a real experiment? Maybe that rules are not good to detect an attack? Maybe I am not running Snort in the proper mode?

Thanks in advance

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170123/c7a5ab52/attachment.html>

More information about the Snort-users mailing list