Snort mailing list archives
Re: Triggering inspector rules (arp_spoof / stream)
From: Oscar Alvarez <info () firenetsecurity com>
Date: Fri, 14 Apr 2023 17:21:03 -0700
Here are the steps to enable the Stream_Inspector preprocessor and rule 1 in Snort3: Open your Snort3 configuration file (usually located at /etc/snort/snort.conf) in a text editor. Search for the section that starts with "preprocessor stream_inspect". Make sure that the "stream_inspect" preprocessor is enabled by removing the "#" character at the beginning of the line. To enable rule 1 of the Stream_Inspector preprocessor, add the following line to your Snort3 configuration file: stream_preprocessor: rule 1 Save the configuration file and restart Snort3 for the changes to take effect. Once rule 1 of the Stream_Inspector preprocessor is enabled, it should trigger an alert when it detects a TCP SYN flood attack. The exact threshold for this rule can be adjusted by modifying the "max_queued_packets" option in the Snort3 configuration file. By default, this option is set to 5 packets in a 1-second window, but you may want to adjust this value depending on the specifics of your network environment. Sent from my iPhone
On Apr 10, 2023, at 6:05 AM, Julia Geiger <julia.geiger () rolls-royce-solutions de> wrote: Hello Snort Community, I am a student who just started working with Snort3 (Version: 3.1.18.0). For my Project I need to detect arp spoofing and TCP/SYN flood attacks. For the arp_spoof inspector I configured the ip/mac address mapping in the configuration file. I also wrote rules for the four arp_spoof inspector events. When I run an arp spoofing attack I get a log entry for rule 4 "attempted ARP cache overwrite attack". But when a message is sent to a host were the destination ip/mac address is spoofed, I do not get a log entry for rule 3. I looked at the send packages and the ip/mac address do not match the configured values. I do not know why these rules are not triggered. My config looks like this (inside of my snort.lua file): arp_spoof = { hosts = { {ip ="x.x.x.x", mac ="xx:xx:xx:xx:xx:xx"}, } } My rule file looks like this: alert (msg: "some msg1", gid: 112; sid: 1;) alert (msg: "some msg2", gid: 112; sid: 2;) alert (msg: "some msg3", gid: 112; sid: 3;) alert (msg: "some msg4", gid: 112; sid: 4;) Besides that I am trying to trigger rule 1 of the stream_inspector to detect SYN flood attacks. I looked into the code but I could not find what the conditions are to trigger the rule. But so far I could not trigger this rule. My own rule which just counts incomming packtes with "flag:S" works perfectly though. I again enabled the inspector in my config and wrote rules for that event. My config looks like this (inside my snort.lua file): stream = {} My rule file looks like this: alert (msg: "msg1"; gid: 135; sid:1;) I would really appreciate any support on triggering these events. Thanks for any advice! Best regards Julia Geschäftsführung/Board of Management: Michael Hierholzer CEO, Astrid Leeb CFO Registergericht/Register Court: Amtsgericht Berlin-Charlottenburg, Nr./No. HRB 153514B Rolls-Royce Solutions Berlin GmbH is part of Rolls-Royce Power Systems AG Rolls-Royce Power Systems and its affiliates respects the protection of your personal data. For further information, please click here for our privacy notice<https://www.mtu-solutions.com/eu/en/legal-pages/privacy-policy.html>. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Triggering inspector rules (arp_spoof / stream) Julia Geiger (Apr 10)
- Re: Triggering inspector rules (arp_spoof / stream) joel (Apr 12)
- Re: Triggering inspector rules (arp_spoof / stream) Oscar Alvarez (Apr 14)
- Re: Triggering inspector rules (arp_spoof / stream) Oscar Alvarez (Apr 14)
- Re: Triggering inspector rules (arp_spoof / stream) Joel Esler (Apr 16)