Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Triggering inspector rules (arp_spoof / stream)

From: Julia Geiger <julia.geiger () rolls-royce-solutions de>
Date: Fri, 7 Apr 2023 14:52:29 +0000
Hello Snort Community,

I am a student who just started working with Snort3 (Version: 3.1.18.0).
For my Project I need to detect arp spoofing and TCP/SYN flood attacks.

For the arp_spoof inspector I configured the ip/mac address mapping in the configuration file.
I also wrote rules for the four arp_spoof inspector events.
When I run an arp spoofing attack I get a log entry for rule 4 "attempted ARP cache overwrite attack".
But when a message is sent to a host were the destination ip/mac address is spoofed, I do not get a log entry for rule 
3.
I looked at the send packages and the ip/mac address do not match the configured values. I do not know why these rules 
are not triggered.
My config looks like this (inside of my snort.lua file):
arp_spoof = {
    hosts = {
        {ip ="x.x.x.x", mac ="xx:xx:xx:xx:xx:xx"},
    }
}

My rule file looks like this:
alert (msg: "some msg1", gid: 112; sid: 1;)
alert (msg: "some msg2", gid: 112; sid: 2;)
alert (msg: "some msg3", gid: 112; sid: 3;)
alert (msg: "some msg4", gid: 112; sid: 4;)


Besides that I am trying to trigger rule 1 of the stream_inspector to detect SYN flood attacks.
I looked into the code but I could not find what the conditions are to trigger the rule.
But so far I could not trigger this rule.
My own rule which just counts incomming packtes with "flag:S" works perfectly though.
I again enabled the inspector in my config and wrote rules for that event.

My config looks like this (inside my snort.lua file):
stream = {}
My rule file looks like this:
alert (msg: "msg1"; gid: 135; sid:1;)


I would really appreciate any support on triggering these events.

Thanks for any advice!


Best regards
Julia
Geschäftsführung/Board of Management: Michael Hierholzer CEO, Astrid Leeb CFO
Registergericht/Register Court: Amtsgericht Berlin-Charlottenburg, Nr./No. HRB 153514B
Rolls-Royce Solutions Berlin GmbH is part of Rolls-Royce Power Systems AG

Rolls-Royce Power Systems and its affiliates respects the protection of your personal data. For further information, 
please click here for our privacy notice<https://www.mtu-solutions.com/eu/en/legal-pages/privacy-policy.html>.
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: