Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unable to detect port-specific DoS attack

From: Mayur Patil <ram.nath241089 () gmail com>
Date: Mon, 2 Sep 2013 23:39:43 +0530
Hi to All,

    A/c to gregory and Wei Chea, I am attaching here the output of pcap
file generated by wireshark.

    Steps I followed are:

     1. I run snort in NIDS mode

         snort -c /etc/snort/snort.conf -l /var/log/snort

     2. Then I start capture of packets on eth0 interface.

     3. I perform DoS flood attack output of which generated I am attaching
here

         http://fpaste.org/36432/

     Seeking for guidance,

     Thanks!!

PS. I was unable to send earlier as my setup is in the college.*
--
*
*Cheers,
*
*Mayur*.



On Mon, Sep 2, 2013 at 1:40 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:


Hi to All,

    A/c to gregory and Wei Chea, I am attaching here the output of pcap
file generated by wireshark.

    Steps I followed are:

     1. I run snort in NIDS mode

         snort -c /etc/snort/snort.conf -l /var/log/snort

     2. Then I start capture of packets on eth0 interface.

     3. I perform DoS flood attack output of which generated I am
attaching here

         http://fpaste.org/36432/

     Seeking for guidance,

     Thanks!!


PS. I was unable to send earlier as my setup is in the college.*

--
*
*Cheers,
*
*Mayur*.





On Thu, Aug 29, 2013 at 10:50 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:


Hi Greg,

  Please guide the location.

  Does it /var/log/snort/alert because as per my little knowledge this is
the location which has generated result of snort rules.

  Thanks !


On Thu, Aug 29, 2013 at 10:39 AM, Gregory W. MacPherson <
greg () constellationsecurity com> wrote:


There seems to be a communication problem...

First the files you listed are *not* 'pcap' files. they are various
libraries and programs that are used *with* pcap files.

A "pcap' file is a packet capture that is generated by a program that is
able to place the network interface into 'promiscuous' mode and
'capture' the 'packets' that the interface receives. An example of a
program that can 'generate' pcap files is wireshark (Google).

What is being asked for is the output from such a program that can
illustrate the network traffic that is being passed to/through your
SNORT box.

-- Greg


On or about 2013.08.29 10:18:50 +0530, Mayur Patil (
ram.nath241089 () gmail com) said:


Hi,

   I have found pcap files on this locations please suggest which one
should I send ??




/var/lib/yum/yumdb/l/a73becfaf9eee2c429b69b930bd4c5339d089942-libpcap-1.0.0-6.20091201git117cb5.el6-x86_64

  /usr/share/doc/libpcap-1.0.0
  /usr/share/doc/libpcap-1.0.0/pcap.txt
  /usr/share/man/man7/pcap-filter.7.gz
  /usr/share/man/man7/pcap-linktype.7.gz
  /usr/share/texmf/tex/latex/oberdiek/hypcap.sty
  /usr/share/texmf/tex/latex/ltxmisc/topcapt.sty
  /usr/lib64/libpcap.so.1.0.0
  /usr/lib64/libpcap.so.1
  /usr/lib64/gstreamer-0.10/libgstpcapparse.so
  /usr/sbin/getpcaps
  /selinux/class/capability/perms/setpcap

  Seeking for guidance,

   Thanks!



--
*Cheers,
Mayur*


On Tue, Aug 27, 2013 at 6:51 PM, Wei Chea Ang <weichea () gmail com>

wrote:



Can you share the pcap?
On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 () gmail com>

wrote:



Hi,

  I have written rule

 alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of

service

 attempt";flow:to_server; detection_filter:track by_dst, count 50,
seconds 1;
 metadata:service syslog; classtype:attempted-dos; sid:25101;

rev:1;)



  which generates alert for at random ports which are not on my
lists..fine

   But if I write port-specific it does not logging into alert file
   alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514

(msg:"DOS

  flood denial of service attempt";flow:to_server;

detection_filter:track

by_dst,
  count 50, seconds 1; metadata:service syslog;

classtype:attempted-dos;

  sid:25101; rev:1;)

 what actually am I missing??

 Please help

 Thanks !











--
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>







-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: