Snort mailing list archives
detecting Dos attacks on mininet
From: <priyankshah902002 () gmail com>
Date: Fri, 22 Jul 2016 05:49:39 -0400
Hi all, I have set up a small topology with one switch, four hosts and a remote opendaylight controller using Mininet. I have also set up a bridge where all the traffic to h2 is mirrored to h3(10.0.0.3) using port mirroring. I’m running Snort on h3. I use the following command to initiate a syn flood attack from h1 (10.0.0.1) to h2(10.0.0.2) : Hping3 -c 10000 -d 120 -S -w 64 -p 21 –flood –rand-source 10.0.0.2 I have used the following rule for detection: alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter: track by_dst, count 70, seconds 10; but wont detect the syn packets. I used a test rule to detect icmp packets and that works perfectly. Can you please point out any mistake that I have or could have made. Thank You, Priyank priyankshah902002 () gmail com
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- detecting Dos attacks on mininet priyankshah902002 (Jul 22)
- Re: detecting Dos attacks on mininet Jason Wallace (Jul 22)