Snort mailing list archives
Re: Unable to detect port-specific DoS attack
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Mon, 2 Sep 2013 23:39:43 +0530
Hi to All, A/c to gregory and Wei Chea, I am attaching here the output of pcap file generated by wireshark. Steps I followed are: 1. I run snort in NIDS mode snort -c /etc/snort/snort.conf -l /var/log/snort 2. Then I start capture of packets on eth0 interface. 3. I perform DoS flood attack output of which generated I am attaching here http://fpaste.org/36432/ Seeking for guidance, Thanks!! PS. I was unable to send earlier as my setup is in the college.* -- * *Cheers, * *Mayur*. On Mon, Sep 2, 2013 at 1:40 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:
Hi to All, A/c to gregory and Wei Chea, I am attaching here the output of pcap file generated by wireshark. Steps I followed are: 1. I run snort in NIDS mode snort -c /etc/snort/snort.conf -l /var/log/snort 2. Then I start capture of packets on eth0 interface. 3. I perform DoS flood attack output of which generated I am attaching here http://fpaste.org/36432/ Seeking for guidance, Thanks!! PS. I was unable to send earlier as my setup is in the college.* -- * *Cheers, * *Mayur*. On Thu, Aug 29, 2013 at 10:50 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:Hi Greg, Please guide the location. Does it /var/log/snort/alert because as per my little knowledge this is the location which has generated result of snort rules. Thanks ! On Thu, Aug 29, 2013 at 10:39 AM, Gregory W. MacPherson < greg () constellationsecurity com> wrote:There seems to be a communication problem... First the files you listed are *not* 'pcap' files. they are various libraries and programs that are used *with* pcap files. A "pcap' file is a packet capture that is generated by a program that is able to place the network interface into 'promiscuous' mode and 'capture' the 'packets' that the interface receives. An example of a program that can 'generate' pcap files is wireshark (Google). What is being asked for is the output from such a program that can illustrate the network traffic that is being passed to/through your SNORT box. -- Greg On or about 2013.08.29 10:18:50 +0530, Mayur Patil ( ram.nath241089 () gmail com) said:Hi, I have found pcap files on this locations please suggest which one should I send ??/var/lib/yum/yumdb/l/a73becfaf9eee2c429b69b930bd4c5339d089942-libpcap-1.0.0-6.20091201git117cb5.el6-x86_64/usr/share/doc/libpcap-1.0.0 /usr/share/doc/libpcap-1.0.0/pcap.txt /usr/share/man/man7/pcap-filter.7.gz /usr/share/man/man7/pcap-linktype.7.gz /usr/share/texmf/tex/latex/oberdiek/hypcap.sty /usr/share/texmf/tex/latex/ltxmisc/topcapt.sty /usr/lib64/libpcap.so.1.0.0 /usr/lib64/libpcap.so.1 /usr/lib64/gstreamer-0.10/libgstpcapparse.so /usr/sbin/getpcaps /selinux/class/capability/perms/setpcap Seeking for guidance, Thanks! -- *Cheers, Mayur* On Tue, Aug 27, 2013 at 6:51 PM, Wei Chea Ang <weichea () gmail com>wrote:Can you share the pcap? On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 () gmail com>wrote:Hi, I have written rule alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial ofserviceattempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101;rev:1;)which generates alert for at random ports which are not on my lists..fine But if I write port-specific it does not logging into alert file alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514(msg:"DOSflood denial of service attempt";flow:to_server;detection_filter:trackby_dst, count 50, seconds 1; metadata:service syslog;classtype:attempted-dos;sid:25101; rev:1;) what actually am I missing?? Please help Thanks !-- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
-- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Gregory W. MacPherson (Aug 28)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Sep 02)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Sep 02)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Gregory W. MacPherson (Aug 28)