Snort mailing list archives
Re: [snort-user] rule unable to detect port specific DoS attack
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 3 Sep 2013 11:11:35 -0400
On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 () gmail com> wrote:
Hello All, I have used rule
alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1;
metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
which generates alert for at random ports which are not on my lists..fine
But if I write port-specific it does not logging into alert file
alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
flood denial of service attempt";flow:to_server; detection_filter:track by_dst,
count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;
sid:25101; rev:1;)
what I done is as follows:
I am attaching here the output of pcap file generated by wireshark.
1. I run snort in NIDS mode
snort -c /etc/snort/snort.conf -l /var/log/snort
2. Then I start capture of packets on eth0 interface.
3. I perform DoS flood attack output of which generated I am attaching here
http://fpaste.org/36432/
Seeking for guidance,
Please help,
Thanks!!
Is the traffic TCP or UDP? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 02)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Wei Chea Ang (Sep 04)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)