<div dir="ltr"><div><div><div>Hello Joel Sir,<br><br></div>     attack is from command line and Command is <br><br>     [root@...16516......]# hping3 --rand-source <ip> -p 514 -S -L 0<br><br></div><div>    from <a href="http://hping.org">hping.org</a> site,<br>
</div><div><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">It supports TCP, UDP, ICMP and RAW-IP protocols<br></blockquote><div> </div>   so I am confused between it .<br>
<br></div><div>    Please guide me where I am mistaken !<br><b><br>--<br></b></div><b>Cheers,<br></b></div><b>Mayur</b>      <br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <span dir="ltr"><<a href="mailto:jesler@...14281...." target="_blank">jesler@...1935...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div class="h5">On Sep 3, 2013, at 1:44 AM, Mayur Patil <<a href="mailto:ram.nath241089@...11827..." target="_blank">ram.nath241089@...11827...</a>> wrote:<br>
<div><div><br><blockquote type="cite"><div dir="ltr"><div><div>Hello All,  I have used rule <br><br> alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service  <br> attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; <br>


 metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)<br><br><br><div>  which generates alert for at random ports which are not on my lists..fine<br><br></div><div>   But if I write port-specific it does not logging into alert file<br>


</div>   alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS <br>  flood denial of service attempt";flow:to_server; detection_filter:track by_dst,   <br>  count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;  <br>


  sid:25101; rev:1;)</div><br><br></div>  what I done is as follows:<br><div><div>  <br>  I am attaching here the output of pcap file generated by wireshark.<br><br>
     1. I run snort in NIDS mode<br>
   <br>         snort -c /etc/snort/snort.conf -l /var/log/snort<br><br>     2. Then I start capture of packets on eth0 interface.<br><br>     3. I perform DoS flood attack output of which generated I am attaching here<br>



<div><br>         <a href="http://fpaste.org/36432/" target="_blank">http://fpaste.org/36432/</a><br><br></div><div>     Seeking for guidance,<br> <br></div><div>     Please help,<br></div><div><br></div>     Thanks!!<br>

<br></div></div></div></blockquote></div><br></div><div><br></div></div></div><div>Is the traffic TCP or UDP?<div><br></div><div><span style="font-family:'Lucida Grande'">--</span><br><span style="font-family:'Lucida Grande'"><b>Joel Esler</b></span><br>
<span style="font-family:'Lucida Grande'">Senior Research Engineer, VRT</span><br><span style="font-family:'Lucida Grande'">OpenSource Community Manager</span><br><span style="font-family:'Lucida Grande'">Sourcefire</span></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr"><b>Yours Sincerely,<br>Mayur</b><span style="font-weight:bold"> S. Patil,<br>ME COMP ENGG,<br>MITCOE,<br></span><span style="font-weight:bold">Pune.<br>
<br></span><span style="font-weight:bold"></span><div><span style="font-weight:bold">Contact : </span></div><div><b> </b><a href="https://www.facebook.com/mayurram" target="_blank"><img src="http://www.foamequipment.com/Portals/78693/images/Facebook-icon%2016x16.png"></a> <a href="https://twitter.com/RamMayur" target="_blank"><img src="http://t3.gstatic.com/images?q=tbn:ANd9GcT_Yarp6AuylZyOGqWulEymuad823QozjY---pAIg_yZESuzmjb"></a> <a href="https://plus.google.com/u/0/107426396312814346345/about" target="_blank"><img src="http://t1.gstatic.com/images?q=tbn:ANd9GcR5aTy2mSTpjuZHVNcU89LWfRKZn-LqVkqrUK-wTPnXMt62cw-qUg"></a> <a href="http://in.linkedin.com/pub/mayur-patil/35/154/b8b/" target="_blank"><img src="http://www.engr.wisc.edu/cmsimages/coe-linkedin-icon-19x19.png"></a>  <a href="http://stackoverflow.com/users/1528044/rammayur" target="_blank"><img src="http://www.destil.cz/images/stackoverflow.png"></a> <b> <a href="https://myspace.com/mayurram" target="_blank"><img src="http://sabedoriapopular.redeblogs.com.br/images/icon-myspace-16x16.gif"></a></b> <a href="https://github.com/ramlaxman" target="_blank"><img src="https://github.com/gadcam/Wappalyzer/diff_blob/f4b7ae6a9398b0d00371dca42abe55bfa756a999/drivers/firefox/skin/images/github.png?raw=true"></a><br>
<br><br><br></div></div>
</div></div>