Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: letdown, dos attempt not detecting

From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 11 Dec 2012 17:59:33 +0000
What do you have snort's output set too?
Have you checked the mysql tables directly?
Does barnyard give any errors (and is it running?)?

On Tue, Dec 11, 2012 at 5:40 PM, Leonardo Pezente <lmpezente () gmail com> wrote:

its really works, thanks. here is the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS syn attempt";
flags:S; flow:to_server; classtype:attempted-dos; detection_filter: track
by_src, count 1000, seconds 40; sid:1000024;)

the only think is: i cant see the msg on BASE GUI, and this is a really
interesting thing.

2012/12/11 Russ Combs <rcombs () sourcefire com>




On Tue, Dec 11, 2012 at 11:45 AM, Leonardo Pezente <lmpezente () gmail com>
wrote:


im testing snort attacking it with a tool called "letdown".it is a tcp
floder. The think is: im not able to detect what could be a potencial dos
attack.
Letdown generate like 65000 syn packets, so this should be detect fot
snort. I have uncomment the dos and ddos rules, but no deal. so im tring to
create a rule to detct this kind of traffic. Is that possible? any idea how
i can do that?



Check out Snort's README.filters.  There are rate_filter examples for
135:1 that you can start with.




------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!






------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: