Snort mailing list archives
Re: Triggering inspector rules (arp_spoof / stream)
From: Oscar Alvarez <info () firenetsecurity com>
Date: Fri, 14 Apr 2023 17:20:15 -0700
Here are some steps to help you configure Snort3 to detect these attacks: Download and install Snort3 on your system. Create a new configuration file for Snort3, typically located in /etc/snort/snort.conf. In the configuration file, specify the rules that Snort3 should use to detect ARP spoofing and TCP/SYN flood attacks. To detect ARP spoofing attacks, you can use the "arp_spoof" rule, which is included in the default ruleset. This rule alerts when an ARP packet is received with a different MAC address than the one associated with the corresponding IP address in the ARP cache. To detect TCP/SYN flood attacks, you can use the "tcp_syn_flood" rule, which is also included in the default ruleset. This rule alerts when a large number of TCP SYN packets are received from a single IP address within a short period of time. Make sure to enable the rules in your Snort3 configuration file by adding them to the "rules" section. Start Snort3 and monitor the alerts generated by the system to detect ARP spoofing and TCP/SYN flood attacks. Note that Snort3 has many other built-in rules and can also be customized to detect additional types of attacks. It is important to keep your Snort3 rules up-to-date to ensure the system is able to detect the latest threats. Sent from my iPhone
On Apr 10, 2023, at 6:05 AM, Julia Geiger <julia.geiger () rolls-royce-solutions de> wrote: Hello Snort Community, I am a student who just started working with Snort3 (Version: 3.1.18.0). For my Project I need to detect arp spoofing and TCP/SYN flood attacks. For the arp_spoof inspector I configured the ip/mac address mapping in the configuration file. I also wrote rules for the four arp_spoof inspector events. When I run an arp spoofing attack I get a log entry for rule 4 "attempted ARP cache overwrite attack". But when a message is sent to a host were the destination ip/mac address is spoofed, I do not get a log entry for rule 3. I looked at the send packages and the ip/mac address do not match the configured values. I do not know why these rules are not triggered. My config looks like this (inside of my snort.lua file): arp_spoof = { hosts = { {ip ="x.x.x.x", mac ="xx:xx:xx:xx:xx:xx"}, } } My rule file looks like this: alert (msg: "some msg1", gid: 112; sid: 1;) alert (msg: "some msg2", gid: 112; sid: 2;) alert (msg: "some msg3", gid: 112; sid: 3;) alert (msg: "some msg4", gid: 112; sid: 4;) Besides that I am trying to trigger rule 1 of the stream_inspector to detect SYN flood attacks. I looked into the code but I could not find what the conditions are to trigger the rule. But so far I could not trigger this rule. My own rule which just counts incomming packtes with "flag:S" works perfectly though. I again enabled the inspector in my config and wrote rules for that event. My config looks like this (inside my snort.lua file): stream = {} My rule file looks like this: alert (msg: "msg1"; gid: 135; sid:1;) I would really appreciate any support on triggering these events. Thanks for any advice! Best regards Julia Geschäftsführung/Board of Management: Michael Hierholzer CEO, Astrid Leeb CFO Registergericht/Register Court: Amtsgericht Berlin-Charlottenburg, Nr./No. HRB 153514B Rolls-Royce Solutions Berlin GmbH is part of Rolls-Royce Power Systems AG Rolls-Royce Power Systems and its affiliates respects the protection of your personal data. For further information, please click here for our privacy notice<https://www.mtu-solutions.com/eu/en/legal-pages/privacy-policy.html>. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Triggering inspector rules (arp_spoof / stream) Julia Geiger (Apr 10)
- Re: Triggering inspector rules (arp_spoof / stream) joel (Apr 12)
- Re: Triggering inspector rules (arp_spoof / stream) Oscar Alvarez (Apr 14)
- Re: Triggering inspector rules (arp_spoof / stream) Oscar Alvarez (Apr 14)
- Re: Triggering inspector rules (arp_spoof / stream) Joel Esler (Apr 16)