Snort mailing list archives

Re: [snort-user] rule unable to detect port specific DoS attack

From: Mayur Patil <ram.nath241089 () gmail com>
Date: Wed, 4 Sep 2013 05:21:51 +0530

do u mean to say traffic generated by wireshark when eth0 start capturing ?


On Wed, Sep 4, 2013 at 12:04 AM, Joel Esler <jesler () sourcefire com> wrote:

Might be helpful to actually look at the traffic you are generating to see
what it actually is.

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 3, 2013, at 2:15 PM, Mayur Patil <ram.nath241089 () gmail com> wrote:

Hello Joel Sir,

   After googling I got that this attack TCP based.

  Seeking for guidance,

  Thanks!!



On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:

P.S. I forgot to add --flood within attack command.


On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:

Hello Joel Sir,

     attack is from command line and Command is

     [root@abc]# hping3 --rand-source <ip> -p 514 -S -L 0

    from hping.org site,

It supports TCP, UDP, ICMP and RAW-IP protocols


   so I am confused between it .

    Please guide me where I am mistaken !
*
--
*
*Cheers,
*
*Mayur*

On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler () sourcefire com>wrote:

On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 () gmail com>
wrote:

Hello All,  I have used rule

 alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service
 attempt";flow:to_server; detection_filter:track by_dst, count 50,
seconds 1;
 metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;)


  which generates alert for at random ports which are not on my
lists..fine

   But if I write port-specific it does not logging into alert file
   alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS
  flood denial of service attempt";flow:to_server;
detection_filter:track by_dst,
  count 50, seconds 1; metadata:service syslog;
classtype:attempted-dos;
  sid:25101; rev:1;)


  what I done is as follows:

  I am attaching here the output of pcap file generated by wireshark.

     1. I run snort in NIDS mode

         snort -c /etc/snort/snort.conf -l /var/log/snort

     2. Then I start capture of packets on eth0 interface.

     3. I perform DoS flood attack output of which generated I am
attaching here

         http://fpaste.org/36432/

     Seeking for guidance,

     Please help,

     Thanks!!



Is the traffic TCP or UDP?

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




--
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>



--
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>



--
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>



-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

[snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 02)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
  - Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
    - Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
    - Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
    - Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
    - Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
    - Re: [snort-user] rule unable to detect port specific DoS attack Wei Chea Ang (Sep 04)