Snort mailing list archives
Re: letdown, dos attempt not detecting
From: Leonardo Pezente <lmpezente () gmail com>
Date: Tue, 11 Dec 2012 16:28:39 -0200
thanks a lot again, its has worked. 2012/12/11 Y M <snort () outlook com>
Corrections below. ------------------------------ To: lmpezente () gmail com; rcombs () sourcefire com From: snort () outlook com Date: Tue, 11 Dec 2012 20:56:08 +0300 CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] letdown, dos attempt not detecting Because this is a custom rule, it has to be manually added at least for now to the sid-msg.map file, for example: 1000024 || DOS syn attempt || url, <add the tool url for reference> Also add the the URL to your Snort rule (and revision number too :) ). If the alert is showing in BASE as Snort Alert [1:1000024:1], which stands for gid:sid:rev , then you will have to update the "signature" table in the database, barnyard2 documents the update statement to execute. Then you can add the tool to the local.rules file, and tell PulledPork if are using it to process local rules as part of its processing. Thanks for the rule. YM ------------------------------ From: Leonardo Pezente <lmpezente () gmail com> Sent: 12/11/2012 8:41 PM To: Russ Combs <rcombs () sourcefire com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] letdown, dos attempt not detecting its really works, thanks. here is the rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS syn attempt"; flags:S; flow:to_server; classtype:attempted-dos; detection_filter: track by_src, count 1000, seconds 40; sid:1000024;) the only think is: i cant see the msg on BASE GUI, and this is a really interesting thing. 2012/12/11 Russ Combs <rcombs () sourcefire com> On Tue, Dec 11, 2012 at 11:45 AM, Leonardo Pezente <lmpezente () gmail com>wrote: im testing snort attacking it with a tool called "letdown".it is a tcp floder. The think is: im not able to detect what could be a potencial dos attack. Letdown generate like 65000 syn packets, so this should be detect fot snort. I have uncomment the dos and ddos rules, but no deal. so im tring to create a rule to detct this kind of traffic. Is that possible? any idea how i can do that? Check out Snort's README.filters. There are rate_filter examples for 135:1 that you can start with. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- letdown, dos attempt not detecting Leonardo Pezente (Dec 11)
- Re: letdown, dos attempt not detecting Russ Combs (Dec 11)
- Re: letdown, dos attempt not detecting Leonardo Pezente (Dec 11)
- Re: letdown, dos attempt not detecting Jeremy Hoel (Dec 11)
- Re: letdown, dos attempt not detecting Leonardo Pezente (Dec 11)
- <Possible follow-ups>
- Re: letdown, dos attempt not detecting Y M (Dec 11)
- Re: letdown, dos attempt not detecting Y M (Dec 11)
- Re: letdown, dos attempt not detecting Leonardo Pezente (Dec 11)
- Re: letdown, dos attempt not detecting Y M (Dec 11)
- Re: letdown, dos attempt not detecting Russ Combs (Dec 11)