Snort mailing list archives
Re: Unable to detect port-specific DoS attack
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Thu, 29 Aug 2013 10:50:26 +0530
Hi Greg, Please guide the location. Does it /var/log/snort/alert because as per my little knowledge this is the location which has generated result of snort rules. Thanks ! * -- * *Cheers, * *Mayur*. On Thu, Aug 29, 2013 at 10:39 AM, Gregory W. MacPherson < greg () constellationsecurity com> wrote:
There seems to be a communication problem... First the files you listed are *not* 'pcap' files. they are various libraries and programs that are used *with* pcap files. A "pcap' file is a packet capture that is generated by a program that is able to place the network interface into 'promiscuous' mode and 'capture' the 'packets' that the interface receives. An example of a program that can 'generate' pcap files is wireshark (Google). What is being asked for is the output from such a program that can illustrate the network traffic that is being passed to/through your SNORT box. -- Greg On or about 2013.08.29 10:18:50 +0530, Mayur Patil ( ram.nath241089 () gmail com) said:Hi, I have found pcap files on this locations please suggest which one should I send ??/var/lib/yum/yumdb/l/a73becfaf9eee2c429b69b930bd4c5339d089942-libpcap-1.0.0-6.20091201git117cb5.el6-x86_64/usr/share/doc/libpcap-1.0.0 /usr/share/doc/libpcap-1.0.0/pcap.txt /usr/share/man/man7/pcap-filter.7.gz /usr/share/man/man7/pcap-linktype.7.gz /usr/share/texmf/tex/latex/oberdiek/hypcap.sty /usr/share/texmf/tex/latex/ltxmisc/topcapt.sty /usr/lib64/libpcap.so.1.0.0 /usr/lib64/libpcap.so.1 /usr/lib64/gstreamer-0.10/libgstpcapparse.so /usr/sbin/getpcaps /selinux/class/capability/perms/setpcap Seeking for guidance, Thanks! PS. I was unable to send earlier as my setup is in the college. -- *Cheers, Mayur* On Tue, Aug 27, 2013 at 6:51 PM, Wei Chea Ang <weichea () gmail com> wrote:Can you share the pcap? On 27 Aug, 2013 7:53 PM, "Mayur Patil" <ram.nath241089 () gmail com>wrote:Hi, I have written rule alert tcp any any -> $HOME_NET 514 (msg:"DOS flood denial of service attempt";flow:to_server; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; classtype:attempted-dos; sid:25101; rev:1;) which generates alert for at random ports which are not on my lists..fine But if I write port-specific it does not logging into alert file alert tcp [192.168.21.1,192.168.21.2] any -> $HOME_NET 514(msg:"DOSflood denial of service attempt";flow:to_server;detection_filter:trackby_dst, count 50, seconds 1; metadata:service syslog;classtype:attempted-dos;sid:25101; rev:1;) what actually am I missing?? Please help Thanks !
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Gregory W. MacPherson (Aug 28)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Sep 02)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Sep 02)
- Re: Unable to detect port-specific DoS attack Mayur Patil (Aug 28)
- Re: Unable to detect port-specific DoS attack Gregory W. MacPherson (Aug 28)