Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Triggering inspector rules (arp_spoof / stream)

From: Oscar Alvarez <info () firenetsecurity com>
Date: Fri, 14 Apr 2023 17:21:03 -0700
Here are the steps to enable the Stream_Inspector preprocessor and rule 1 in Snort3:

Open your Snort3 configuration file (usually located at /etc/snort/snort.conf) in a text editor.
Search for the section that starts with "preprocessor stream_inspect".
Make sure that the "stream_inspect" preprocessor is enabled by removing the "#" character at the beginning of the line.
To enable rule 1 of the Stream_Inspector preprocessor, add the following line to your Snort3 configuration file:
stream_preprocessor: rule 1
Save the configuration file and restart Snort3 for the changes to take effect.
Once rule 1 of the Stream_Inspector preprocessor is enabled, it should trigger an alert when it detects a TCP SYN flood 
attack. The exact threshold for this rule can be adjusted by modifying the "max_queued_packets" option in the Snort3 
configuration file. By default, this option is set to 5 packets in a 1-second window, but you may want to adjust this 
value depending on the specifics of your network environment.

Sent from my iPhone


On Apr 10, 2023, at 6:05 AM, Julia Geiger <julia.geiger () rolls-royce-solutions de> wrote:

Hello Snort Community,

I am a student who just started working with Snort3 (Version: 3.1.18.0).
For my Project I need to detect arp spoofing and TCP/SYN flood attacks.

For the arp_spoof inspector I configured the ip/mac address mapping in the configuration file.
I also wrote rules for the four arp_spoof inspector events.
When I run an arp spoofing attack I get a log entry for rule 4 "attempted ARP cache overwrite attack".
But when a message is sent to a host were the destination ip/mac address is spoofed, I do not get a log entry for 
rule 3.
I looked at the send packages and the ip/mac address do not match the configured values. I do not know why these 
rules are not triggered.
My config looks like this (inside of my snort.lua file):
arp_spoof = {
   hosts = {
       {ip ="x.x.x.x", mac ="xx:xx:xx:xx:xx:xx"},
   }
}

My rule file looks like this:
alert (msg: "some msg1", gid: 112; sid: 1;)
alert (msg: "some msg2", gid: 112; sid: 2;)
alert (msg: "some msg3", gid: 112; sid: 3;)
alert (msg: "some msg4", gid: 112; sid: 4;)


Besides that I am trying to trigger rule 1 of the stream_inspector to detect SYN flood attacks.
I looked into the code but I could not find what the conditions are to trigger the rule.
But so far I could not trigger this rule.
My own rule which just counts incomming packtes with "flag:S" works perfectly though.
I again enabled the inspector in my config and wrote rules for that event.

My config looks like this (inside my snort.lua file):
stream = {}
My rule file looks like this:
alert (msg: "msg1"; gid: 135; sid:1;)


I would really appreciate any support on triggering these events.

Thanks for any advice!


Best regards
Julia
Geschäftsführung/Board of Management: Michael Hierholzer CEO, Astrid Leeb CFO
Registergericht/Register Court: Amtsgericht Berlin-Charlottenburg, Nr./No. HRB 153514B
Rolls-Royce Solutions Berlin GmbH is part of Rolls-Royce Power Systems AG

Rolls-Royce Power Systems and its affiliates respects the protection of your personal data. For further information, 
please click here for our privacy notice<https://www.mtu-solutions.com/eu/en/legal-pages/privacy-policy.html>.
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: