Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP detection when no payload is pressent i UDP packets problem

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sat, 14 May 2016 07:14:27 +0000
Hello,

        How are you starting snort? For the pcap you sent you need to add the -k option to disable checksum validation.



Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: Lenny Hansson [mailto:security () netcowboy dk] 
Sent: Saturday, May 14, 2016 2:20 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] UDP detection when no payload is pressent i UDP packets problem

Hi All
I am looking at an attack where no payload in UDP packets are present.
My SNORT installation is working on other rules and traffic types.

This attack comes from a large DDOS where the packet all look like this.
But all source IP is random and source and dest ports on UDP is random.
The only thing witch is steady is packet size.

So the idea was to look for UDP packets whit 46 Bytes and do a drop on that and/or put in a detection filter and start 
dropping after receiving
500/1000 packets within 5 seconds ore so.

My starting rule was to look for UDP like the here. But here comes my problem. I can't even get SNORT to alert on 
simple UDP packets like the one attached. If I craft my own UDP packet it will alert ore if I do testing with other UDP 
based attacks with content and so on.

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"UDP no payload attack"; priority:1; sid:880000; rev:1;)

I have attached 1 pcap with one such packet not detected with SNORT. DST IP have been changed in the pcap file as the 
only thing. But the rest of the packet is still original from the attack.

What am I missing here ? Sense I can't get SNORT to give me alerts in logs files ore in screen ?

I am testing on SNORT version 2.9.8.2
--
Venlig hilsen / Best Regards
Lenny Hansson
***********************************
Web: networkforensic.dk
***********************************
E-mail: security () netcowboy dk
Key-ID: 91379877
***********************************

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: