Snort mailing list archives
Re: detecting Dos attacks on mininet
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 22 Jul 2016 17:38:56 +0000
Your -p is 21 but your rule is looking on port 80. That might be the problem. On Fri, Jul 22, 2016 at 5:54 AM <priyankshah902002 () gmail com> wrote:
Hi all, I have set up a small topology with one switch, four hosts and a remote opendaylight controller using Mininet. I have also set up a bridge where all the traffic to h2 is mirrored to h3(10.0.0.3) using port mirroring. I’m running Snort on h3. I use the following command to initiate a syn flood attack from h1 (10.0.0.1) to h2(10.0.0.2) : Hping3 -c 10000 -d 120 -S -w 64 -p 21 –flood –rand-source 10.0.0.2 I have used the following rule for detection: alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter: track by_dst, count 70, seconds 10; but wont detect the syn packets. I used a test rule to detect icmp packets and that works perfectly. Can you please point out any mistake that I have or could have made. Thank You, Priyank priyankshah902002 () gmail com ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- detecting Dos attacks on mininet priyankshah902002 (Jul 22)
- Re: detecting Dos attacks on mininet Jason Wallace (Jul 22)