Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: detecting Dos attacks on mininet

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 22 Jul 2016 17:38:56 +0000
Your -p is 21 but your rule is looking on port 80. That might be the
problem.


On Fri, Jul 22, 2016 at 5:54 AM <priyankshah902002 () gmail com> wrote:


Hi all,



I  have set up a small topology with one switch, four hosts and a remote
opendaylight controller using Mininet. I have also set up a bridge where
all the traffic to h2 is mirrored to h3(10.0.0.3) using port mirroring. I’m
running Snort on h3. I use the following command to initiate a syn flood
attack from h1 (10.0.0.1) to h2(10.0.0.2) :



Hping3 -c 10000 -d 120 -S -w 64 -p 21 –flood –rand-source 10.0.0.2



I have used the following rule for detection:



alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow:
stateless; detection_filter: track by_dst, count 70, seconds 10;



but wont detect the syn packets. I used a test rule to detect icmp packets
and that works perfectly.

Can you please point out any mistake that I have or could have made.



Thank You,
Priyank
priyankshah902002 () gmail com



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and
traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: