[Snort-users] Detecting DDoS attacks with Snort

Ana Serrano Mamolar B00315494 at ...17757...
Mon Jan 23 11:16:48 EST 2017


Ok Joel,


So, from your words I understand that rules uploaded by the community don't has any threshold by default, and it is each user who has to configure it according with "one's tastes". So, for the same attack I could have 2000 alerts while other user could have just one.

It would make more sense. I couldn't understand why just one packet could trigger a DDoS alert, while I thought that a DDoS attack was created to send a big amount of packets per second to the target.

So I now noticed that my idea of a DDoS attack and snort rules weren't wrong but yes taking for granted that I could detect real DDoS attacks by downloading rules and without modified them.

I suppose that uploaded rules are good to have known signatures of packets sent in attacks. Then I have to configure thresholds by myself.


Thanks

________________________________
From: Joel Esler (jesler) <jesler at ...589...>
Sent: 23 January 2017 15:35:26
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

You can make one threshold, as a global threshold, that will threshold all rules.  That example is in the threshold.conf IIRC.

That being said, some users of Snort want every alert.  So while you may not, many people do.  It’s up to each user of Snort to configure it how they want.

--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>






On Jan 23, 2017, at 10:31 AM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:


I have read about that and have even add some thresholds in some rules to understand them better while generating traffic. However, when I download rules I supposed that they were trying to alert from known attacks, so it should even have a well configured threshold.
If they don't have it and you have to do it by yourself these rules are not useful, are they?. Maybe I'm wrong from the beginning, but it doesn't make sense for me to have to configure a threshold for thousand of rules downloaded, one by one. Even more, when I don't know the attacks and don't have any criteria to configure its threshold.
That's why I suspected that there was something that I was misunderstanding, since I don't believe that uploaded rules were incomplete.


________________________________
From: Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>>
Sent: 23 January 2017 15:20:56
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

You can enable your own thresholds in the threshold.conf.


--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>






On Jan 23, 2017, at 9:54 AM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:

Thanks for your response Joel.
I have also installed PulledPork to have more updated rules, but still don't understand why I have to get an alert per packet in a DDoS attack.
For example, following your link, I randomly selected one rule with a DoS classtype that I copied bellow. If I use scapy to send 2000 packets that  match the signature showed in this rule, Snort will trigger 2000 alerts. That's what I can not understand from the beginning. Why 2000 alerts. Shouldn't exist a kind of threshold to consider an attack or not, depending on the amount of packets received/sent?



# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
________________________________
From: Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>>
Sent: 23 January 2017 14:41:07
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

Those rules are six years old.  I’d suggest getting a more up to date ruleset from Snort.org<http://snort.org/>.

--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>






On Jan 23, 2017, at 5:25 AM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:


Hi everyone,,
I am a beginner with Snort. For my research, I would like to use Snort to detect DDoS attacks.
So, what I have done is, first install Snort and download DDoS rules from here https://github.com/eldondev/Snort/blob/master/rules/ddos.rules.
Then, I tried to generate some traffic that match some of this rules to see if Snort triggered alerts. I started to use scapy and I managed to generate ICMP and UDP DoS attacks, but not TCP for the moment, and not Distributed, but just DoS. I am open also to new ideas about that issue of generating traffic to simulate my attacks ( also pcaps would be suitable).

My main worry, and the aim of this message, is that I am not sure to have understood well how Snort rules work. I don't understand why I am getting one alert per packet sent. So, if i send 2000 packets matching a rule I receive 2000 alerts. As far as I know, a DDoS attack attempt to overload systems, so one packet, is not a DoS attack.

So, does somebody know how I should do a real experiment? Maybe that rules are not good to detect an attack? Maybe I am not running Snort in the proper mode?

Thanks in advance
Ana


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170123/4be127c4/attachment.html>


More information about the Snort-users mailing list