Snort mailing list archives

Re: Unable to detect port-specific DoS attack

From: Mayur Patil <ram.nath241089 () gmail com>
Date: Thu, 29 Aug 2013 10:18:50 +0530

Hi,

   I have found pcap files on this locations please suggest which one
should I send ??


/var/lib/yum/yumdb/l/a73becfaf9eee2c429b69b930bd4c5339d089942-libpcap-1.0.0-6.20091201git117cb5.el6-x86_64
  /usr/share/doc/libpcap-1.0.0
  /usr/share/doc/libpcap-1.0.0/pcap.txt
  /usr/share/man/man7/pcap-filter.7.gz
  /usr/share/man/man7/pcap-linktype.7.gz
  /usr/share/texmf/tex/latex/oberdiek/hypcap.sty
  /usr/share/texmf/tex/latex/ltxmisc/topcapt.sty
  /usr/lib64/libpcap.so.1.0.0
  /usr/lib64/libpcap.so.1
  /usr/lib64/gstreamer-0.10/libgstpcapparse.so
  /usr/sbin/getpcaps
  /selinux/class/capability/perms/setpcap

  Seeking for guidance,

   Thanks!

PS. I was unable to send earlier as my setup is in the college.

-- 
*Cheers,
Mayur*


On Tue, Aug 27, 2013 at 6:51 PM, Wei Chea Ang <weichea () gmail com> wrote:

Can you share the pcap?
On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 () gmail com> wrote:

Hi,

  I have written rule

 alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
 attempt";flow:to_server; detection_filter:track by_dst, count 50,
seconds 1;
 metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)


  which generates alert for at random ports which are not on my
lists..fine

   But if I write port-specific it does not logging into alert file
   alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
  flood denial of service attempt";flow:to_server; detection_filter:track
by_dst,
  count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;
  sid:25101; rev:1;)

 what actually am I missing??

 Please help

 Thanks !

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Gregory W. MacPherson (Aug 28)
  - Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
    - Re: Unable to detect port-specific DoS attack Mayur Patil (Sep 02)
    - Re: Unable to detect port-specific DoS attack Mayur Patil (Sep 02)