Snort mailing list archives
Re: [snort-user] rule unable to detect port specific DoS attack
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 3 Sep 2013 11:11:35 -0400
On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 () gmail com> wrote:
Hello All, I have used rule alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) which generates alert for at random ports which are not on my lists..fine But if I write port-specific it does not logging into alert file alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) what I done is as follows: I am attaching here the output of pcap file generated by wireshark. 1. I run snort in NIDS mode snort -c /etc/snort/snort.conf -l /var/log/snort 2. Then I start capture of packets on eth0 interface. 3. I perform DoS flood attack output of which generated I am attaching here http://fpaste.org/36432/ Seeking for guidance, Please help, Thanks!!
Is the traffic TCP or UDP? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 02)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Wei Chea Ang (Sep 04)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)