Snort mailing list archives
Re: Unable to detect port-specific DoS attack
From: Wei Chea Ang <weichea () gmail com>
Date: Tue, 27 Aug 2013 21:21:43 +0800
Can you share the pcap? On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 () gmail com> wrote:
Hi, I have written rule alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) which generates alert for at random ports which are not on my lists..fine But if I write port-specific it does not logging into alert file alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) what actually am I missing?? Please help Thanks ! -- *Cheers, Mayur* ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unable to detect port-specific DoS attack Mayur Patil (Aug 27)
- Re: Unable to detect port-specific DoS attack Wei Chea Ang (Aug 27)