Re: [snort-user] rule unable to detect port specific DoS attack

[Joel Esler <jesler () sourcefire com>]

Might be helpful to actually look at the traffic you are generating to see what it actually is.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 3, 2013, at 2:15 PM, Mayur Patil <ram.nath241089 () gmail com> wrote:

> Hello Joel Sir,
>
>    After googling I got that this attack TCP based.
>  
>   Seeking for guidance,
>
>   Thanks!!
>   
>
>
> On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 () gmail com> wrote:
> P.S. I forgot to add --flood within attack command.
>
>
> On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 () gmail com> wrote:
> Hello Joel Sir,
>
>      attack is from command line and Command is 
>
>      [root@abc]# hping3 --rand-source <ip> -p 514 -S -L 0
>
>     from hping.org site,
>
> It supports TCP, UDP, ICMP and RAW-IP protocols
>  
>    so I am confused between it .
>
>     Please guide me where I am mistaken !
>
> --
> Cheers,
> Mayur      
>
> On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler () sourcefire com> wrote:
> On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 () gmail com> wrote:
>
> > Hello All,  I have used rule 
> >
> >  alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service  
> >  attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; 
> >  metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)
> >
> >
> >   which generates alert for at random ports which are not on my lists..fine
> >
> >    But if I write port-specific it does not logging into alert file
> >    alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS 
> >   flood denial of service attempt";flow:to_server; detection_filter:track by_dst,   
> >   count 50, seconds 1; metadata:service syslog; classtype:attempted-dos;  
> >   sid:25101; rev:1;)
> >
> >
> >   what I done is as follows:
> >   
> >   I am attaching here the output of pcap file generated by wireshark.
> >
> >      1. I run snort in NIDS mode
> >    
> >          snort -c /etc/snort/snort.conf -l /var/log/snort
> >
> >      2. Then I start capture of packets on eth0 interface.
> >
> >      3. I perform DoS flood attack output of which generated I am attaching here
> >
> >          http://fpaste.org/36432/
> >
> >      Seeking for guidance,
> >  
> >      Please help,
> >
> >      Thanks!!
>
>
> Is the traffic TCP or UDP?
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
>
> -- 
> Yours Sincerely,
> Mayur S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
>
> Contact : 
>          
>
>
>
>
>
>
> -- 
> Yours Sincerely,
> Mayur S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
>
> Contact : 
>          
>
>
>
>
>
>
> -- 
> Yours Sincerely,
> Mayur S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
>
> Contact : 
>          

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!