Snort mailing list archives
Re: Detecting DDoS attacks with Snort
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 23 Jan 2017 14:41:07 +0000
Those rules are six years old. I’d suggest getting a more up to date ruleset from Snort.org<http://Snort.org>. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Jan 23, 2017, at 5:25 AM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> wrote: Hi everyone,, I am a beginner with Snort. For my research, I would like to use Snort to detect DDoS attacks. So, what I have done is, first install Snort and download DDoS rules from here https://github.com/eldondev/Snort/blob/master/rules/ddos.rules. Then, I tried to generate some traffic that match some of this rules to see if Snort triggered alerts. I started to use scapy and I managed to generate ICMP and UDP DoS attacks, but not TCP for the moment, and not Distributed, but just DoS. I am open also to new ideas about that issue of generating traffic to simulate my attacks ( also pcaps would be suitable). My main worry, and the aim of this message, is that I am not sure to have understood well how Snort rules work. I don't understand why I am getting one alert per packet sent. So, if i send 2000 packets matching a rule I receive 2000 alerts. As far as I know, a DDoS attack attempt to overload systems, so one packet, is not a DoS attack. So, does somebody know how I should do a real experiment? Maybe that rules are not good to detect an attack? Maybe I am not running Snort in the proper mode? Thanks in advance Ana ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
- Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
- Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
- Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)
- Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Ana Serrano Mamolar (Jan 23)
- Re: Detecting DDoS attacks with Snort Joel Esler (jesler) (Jan 23)