Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] hping3 flood detection

529 views
Skip to first unread message

Meysam Farazmand

unread,
Mar 12, 2014, 5:12:26 AM3/12/14
to
Hi Dear friends,

i am trying to detect hping3 flood.i configured frag3 with the following configuration in snort.conf :

preprocessor frag3_global: prealloc_frags 8192
preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 1 min_fragment_length 5 timeout 1 bind_to 192.168.4.1

and wrote the following rule in ddos.rules file:

drop ip any any -> any any (msg:"Hping3  DDOS Detected";flow:to_server;detection_filter: track by_src, count 20, seconds 5;fragbits:M+;sid:123123149; rev:1;)

the command for executing hping3 is here:

hping3 192.168.4.2 --flood -V -d 1450

when data size in hping3 be smaller than 1500 bytes( in the above command is 1450) snort successfully detect it, but when it's greater than 1500 bytes (for example 1600), snort fails to detect it. because 1600 bytes is greater than ethernet maximum frame size and the packet fragment to parts. so we expect to frag3 detect it. but when i execute hping3 with 1600 bytes of data and finally stop snort to see frag3 statistics it show me 0:

Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0

can someone help me?

waldo kitty

unread,
Mar 12, 2014, 5:43:34 AM3/12/14
to
On 3/12/2014 5:12 AM, Meysam Farazmand wrote:
> Hi Dear friends,
>
> i am trying to detect hping3 flood.i configured frag3 with the following
> configuration in snort.conf :

you haven't told us all the important items necessary to assist...

https://github.com/vrtadmin/snort-faq/blob/master/Lists/How-do-I-submit-a-good-question.md


--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

0 new messages