Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unable to detect port-specific DoS attack

From: Wei Chea Ang <weichea () gmail com>
Date: Tue, 27 Aug 2013 21:21:43 +0800
Can you share the pcap?
On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 () gmail com> wrote:


Hi,

  I have written rule

 alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
 attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds
1;
 metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)


  which generates alert for at random ports which are not on my lists..fine

   But if I write port-specific it does not logging into alert file
   alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
  flood denial of service attempt";flow:to_server; detection_filter:track
by_dst,
  count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;
  sid:25101; rev:1;)

 what actually am I missing??

 Please help

 Thanks !


--
*Cheers,
Mayur*





------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: