Snort mailing list archives

Re: Detecting DDoS attacks with Snort

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 23 Jan 2017 16:52:00 +0000

We generally don’t write any thresholds (unless we have to for some reason) in any rule.  We try to leave those 
configurable to the user.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Jan 23, 2017, at 11:16 AM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail 
uws ac uk>> wrote:

Ok Joel,

So, from your words I understand that rules uploaded by the community don't has any threshold by default, and it is 
each user who has to configure it according with "one's tastes". So, for the same attack I could have 2000 alerts while 
other user could have just one.
It would make more sense. I couldn't understand why just one packet could trigger a DDoS alert, while I thought that a 
DDoS attack was created to send a big amount of packets per second to the target.
So I now noticed that my idea of a DDoS attack and snort rules weren't wrong but yes taking for granted that I could 
detect real DDoS attacks by downloading rules and without modified them.
I suppose that uploaded rules are good to have known signatures of packets sent in attacks. Then I have to configure 
thresholds by myself.

Thanks
________________________________
From: Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>>
Sent: 23 January 2017 15:35:26
To: Ana Serrano Mamolar
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

You can make one threshold, as a global threshold, that will threshold all rules.  That example is in the 
threshold.conf IIRC.

That being said, some users of Snort want every alert.  So while you may not, many people do.  It’s up to each user of 
Snort to configure it how they want.

--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Jan 23, 2017, at 10:31 AM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail 
uws ac uk>> wrote:


I have read about that and have even add some thresholds in some rules to understand them better while generating 
traffic. However, when I download rules I supposed that they were trying to alert from known attacks, so it should even 
have a well configured threshold.
If they don't have it and you have to do it by yourself these rules are not useful, are they?. Maybe I'm wrong from the 
beginning, but it doesn't make sense for me to have to configure a threshold for thousand of rules downloaded, one by 
one. Even more, when I don't know the attacks and don't have any criteria to configure its threshold.
That's why I suspected that there was something that I was misunderstanding, since I don't believe that uploaded rules 
were incomplete.


________________________________
From: Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>>
Sent: 23 January 2017 15:20:56
To: Ana Serrano Mamolar
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

You can enable your own thresholds in the threshold.conf.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Jan 23, 2017, at 9:54 AM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail 
uws ac uk>> wrote:

Thanks for your response Joel.
I have also installed PulledPork to have more updated rules, but still don't understand why I have to get an alert per 
packet in a DDoS attack.
For example, following your link, I randomly selected one rule with a DoS classtype that I copied bellow. If I use 
scapy to send 2000 packets that  match the signature showed in this rule, Snort will trigger 2000 alerts. That's what I 
can not understand from the beginning. Why 2000 alerts. Shouldn't exist a kind of threshold to consider an attack or 
not, depending on the amount of packets received/sent?



# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; 
flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; 
classtype:attempted-dos; sid:231; rev:11;)
________________________________
From: Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>>
Sent: 23 January 2017 14:41:07
To: Ana Serrano Mamolar
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Detecting DDoS attacks with Snort

Those rules are six years old.  I’d suggest getting a more up to date ruleset from Snort.org<http://snort.org/>.

--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Jan 23, 2017, at 5:25 AM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail 
uws ac uk>> wrote:


Hi everyone,,
I am a beginner with Snort. For my research, I would like to use Snort to detect DDoS attacks.
So, what I have done is, first install Snort and download DDoS rules from here 
https://github.com/eldondev/Snort/blob/master/rules/ddos.rules.
Then, I tried to generate some traffic that match some of this rules to see if Snort triggered alerts. I started to use 
scapy and I managed to generate ICMP and UDP DoS attacks, but not TCP for the moment, and not Distributed, but just 
DoS. I am open also to new ideas about that issue of generating traffic to simulate my attacks ( also pcaps would be 
suitable).

My main worry, and the aim of this message, is that I am not sure to have understood well how Snort rules work. I don't 
understand why I am getting one alert per packet sent. So, if i send 2000 packets matching a rule I receive 2000 
alerts. As far as I know, a DDoS attack attempt to overload systems, so one packet, is not a DoS attack.

So, does somebody know how I should do a real experiment? Maybe that rules are not good to detect an attack? Maybe I am 
not running Snort in the proper mode?

Thanks in advance
Ana


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! 
http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
  - Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
    - Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
    - Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
    - Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
    - Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
    - Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
    - Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)