Snort mailing list archives
hping3 flood detection
From: Meysam Farazmand <farazmand.meisam () gmail com>
Date: Wed, 12 Mar 2014 12:42:26 +0330
Hi Dear friends, i am trying to detect hping3 flood.i configured frag3 with the following configuration in snort.conf : preprocessor frag3_global: prealloc_frags 8192 preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 1 min_fragment_length 5 timeout 1 bind_to 192.168.4.1 and wrote the following rule in ddos.rules file: drop ip any any -> any any (msg:"Hping3 DDOS Detected";flow:to_server;detection_filter: track by_src, count 20, seconds 5;fragbits:M+;sid:123123149; rev:1;) the command for executing hping3 is here: hping3 192.168.4.2 --flood -V -d 1450 when data size in hping3 be smaller than 1500 bytes( in the above command is 1450) snort successfully detect it, but when it's greater than 1500 bytes (for example 1600), snort fails to detect it. because 1600 bytes is greater than ethernet maximum frame size and the packet fragment to parts. so we expect to frag3 detect it. but when i execute hping3 with 1600 bytes of data and finally stop snort to see frag3 statistics it show me 0: Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 can someone help me?
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- hping3 flood detection Meysam Farazmand (Mar 12)
- Re: hping3 flood detection waldo kitty (Mar 12)
- Message not available
- Message not available
- Message not available
- Message not available
- Fwd: Re: hping3 flood detection Meysam Farazmand (Mar 14)
- Message not available
- Re: hping3 flood detection waldo kitty (Mar 12)