Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ssh dos

From: Balla István <balla.bmf () gmail com>
Date: Sun, 19 May 2013 18:33:12 +0200
Hey guys,

I launched a DoS attack against SSH service on target host. topology looks
very simple:

target<-----snort<-----attacker

After a while snort blocked it but with Protocol mismatch(4:128) not with
DoS rule.

my ssh preproc setting in snort.conf:

preprocessor ssh: server_ports { 22 } \
                  autodetect \
                  max_client_bytes 0 \
                  max_encrypted_packets 20 \
                  max_server_version_len 80 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch


I attach the pcap on the target host. I used a simple attacker tool
simulating 1000 parallel requesting threads.
If you have a couple of time could you take a look to the files? I wonder
why dos rule was inactive (it is included).

Thanks.

Attachment: dos_ssh.pcap
Description: 

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: