Re: Triggering inspector rules (arp_spoof / stream)

[Oscar Alvarez <info () firenetsecurity com>]

Here are some steps to help you configure Snort3 to detect these attacks:

Download and install Snort3 on your system.
Create a new configuration file for Snort3, typically located in /etc/snort/snort.conf.
In the configuration file, specify the rules that Snort3 should use to detect ARP spoofing and TCP/SYN flood attacks.
To detect ARP spoofing attacks, you can use the "arp_spoof" rule, which is included in the default ruleset. This rule 
alerts when an ARP packet is received with a different MAC address than the one associated with the corresponding IP 
address in the ARP cache.
To detect TCP/SYN flood attacks, you can use the "tcp_syn_flood" rule, which is also included in the default ruleset. 
This rule alerts when a large number of TCP SYN packets are received from a single IP address within a short period of 
time.
Make sure to enable the rules in your Snort3 configuration file by adding them to the "rules" section.
Start Snort3 and monitor the alerts generated by the system to detect ARP spoofing and TCP/SYN flood attacks.
Note that Snort3 has many other built-in rules and can also be customized to detect additional types of attacks. It is 
important to keep your Snort3 rules up-to-date to ensure the system is able to detect the latest threats.

Sent from my iPhone

> On Apr 10, 2023, at 6:05 AM, Julia Geiger <julia.geiger () rolls-royce-solutions de> wrote:
>
> Hello Snort Community,
>
> I am a student who just started working with Snort3 (Version: 3.1.18.0).
> For my Project I need to detect arp spoofing and TCP/SYN flood attacks.
>
> For the arp_spoof inspector I configured the ip/mac address mapping in the configuration file.
> I also wrote rules for the four arp_spoof inspector events.
> When I run an arp spoofing attack I get a log entry for rule 4 "attempted ARP cache overwrite attack".
> But when a message is sent to a host were the destination ip/mac address is spoofed, I do not get a log entry for 
> rule 3.
> I looked at the send packages and the ip/mac address do not match the configured values. I do not know why these 
> rules are not triggered.
> My config looks like this (inside of my snort.lua file):
> arp_spoof = {
>    hosts = {
>        {ip ="x.x.x.x", mac ="xx:xx:xx:xx:xx:xx"},
>    }
> }
>
> My rule file looks like this:
> alert (msg: "some msg1", gid: 112; sid: 1;)
> alert (msg: "some msg2", gid: 112; sid: 2;)
> alert (msg: "some msg3", gid: 112; sid: 3;)
> alert (msg: "some msg4", gid: 112; sid: 4;)
>
>
> Besides that I am trying to trigger rule 1 of the stream_inspector to detect SYN flood attacks.
> I looked into the code but I could not find what the conditions are to trigger the rule.
> But so far I could not trigger this rule.
> My own rule which just counts incomming packtes with "flag:S" works perfectly though.
> I again enabled the inspector in my config and wrote rules for that event.
>
> My config looks like this (inside my snort.lua file):
> stream = {}
> My rule file looks like this:
> alert (msg: "msg1"; gid: 135; sid:1;)
>
>
> I would really appreciate any support on triggering these events.
>
> Thanks for any advice!
>
>
> Best regards
> Julia
> Geschäftsführung/Board of Management: Michael Hierholzer CEO, Astrid Leeb CFO
> Registergericht/Register Court: Amtsgericht Berlin-Charlottenburg, Nr./No. HRB 153514B
> Rolls-Royce Solutions Berlin GmbH is part of Rolls-Royce Power Systems AG
>
> Rolls-Royce Power Systems and its affiliates respects the protection of your personal data. For further information, 
> please click here for our privacy notice<https://www.mtu-solutions.com/eu/en/legal-pages/privacy-policy.html>.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!