Snort mailing list archives

Previous By Date Next
Previous By Thread Next

detecting Dos attacks on mininet

From: <priyankshah902002 () gmail com>
Date: Fri, 22 Jul 2016 05:49:39 -0400
Hi all,

I  have set up a small topology with one switch, four hosts and a remote opendaylight controller using Mininet. I have 
also set up a bridge where all the traffic to h2 is mirrored to h3(10.0.0.3) using port mirroring. I’m running Snort on 
h3. I use the following command to initiate a syn flood attack from h1 (10.0.0.1) to h2(10.0.0.2) : 

Hping3 -c 10000 -d 120 -S -w 64 -p 21 –flood –rand-source 10.0.0.2

I have used the following rule for detection:

alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter: track by_dst, 
count 70, seconds 10;

but wont detect the syn packets. I used a test rule to detect icmp packets and that works perfectly. 
Can you please point out any mistake that I have or could have made.

Thank You,
Priyank
priyankshah902002 () gmail com


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: