Snort mailing list archives
Re: [snort-user] rule unable to detect port specific DoS attack
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Wed, 4 Sep 2013 05:21:51 +0530
do u mean to say traffic generated by wireshark when eth0 start capturing ? On Wed, Sep 4, 2013 at 12:04 AM, Joel Esler <jesler () sourcefire com> wrote:
Might be helpful to actually look at the traffic you are generating to see what it actually is. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Sep 3, 2013, at 2:15 PM, Mayur Patil <ram.nath241089 () gmail com> wrote: Hello Joel Sir, After googling I got that this attack TCP based. Seeking for guidance, Thanks!! On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:P.S. I forgot to add --flood within attack command. On Tue, Sep 3, 2013 at 8:48 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:Hello Joel Sir, attack is from command line and Command is [root@abc]# hping3 --rand-source <ip> -p 514 -S -L 0 from hping.org site, It supports TCP, UDP, ICMP and RAW-IP protocolsso I am confused between it . Please guide me where I am mistaken ! * -- * *Cheers, * *Mayur* On Tue, Sep 3, 2013 at 8:41 PM, Joel Esler <jesler () sourcefire com>wrote:On Sep 3, 2013, at 1:44 AM, Mayur Patil <ram.nath241089 () gmail com> wrote: Hello All, I have used rule alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) which generates alert for at random ports which are not on my lists..fine But if I write port-specific it does not logging into alert file alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) what I done is as follows: I am attaching here the output of pcap file generated by wireshark. 1. I run snort in NIDS mode snort -c /etc/snort/snort.conf -l /var/log/snort 2. Then I start capture of packets on eth0 interface. 3. I perform DoS flood attack output of which generated I am attaching here http://fpaste.org/36432/ Seeking for guidance, Please help, Thanks!! Is the traffic TCP or UDP? -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire-- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman>-- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman>-- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
-- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 02)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Wei Chea Ang (Sep 04)
- Re: [snort-user] rule unable to detect port specific DoS attack Mayur Patil (Sep 03)
- Re: [snort-user] rule unable to detect port specific DoS attack Joel Esler (Sep 03)