security onion snort rules

[Muhd Haziq]

How can i alert when someone trying to do dos attack using snort rules

[Shane Castle]

DoS can be done in so many different ways that the number of rules
needed to detect it is very large, and often subject to false positives.
For example, see the Emerging Threats ruleset (a recent version can be
found at
http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules )
and look for the string 'dos'. There are lots.

Snort rule writing needs knowledge of the low-level workings of network
communications, TCP, UDP, and ICMP, and often needs knowledge of how the
various protocols work (HTTP, SMTP, SNMP, and so on), plus regular
expression parsing. You should start with already-available rules and
then see if you can modify some of them to do what it is you want to do.
It may be that someone has already written the rules that you need.

On 23.06.2015 10:20, Muhd Haziq wrote:
> How can i alert when someone trying to do dos attack using snort rules
>

--
Mit besten Grüßen
Shane Castle

[hazi...@hotmail.com]

On Tuesday, 23 June 2015 16:20:57 UTC+8, Muhd Haziq wrote:
> How can i alert when someone trying to do dos attack using snort rules

as you said about that, how am i going to know if these dos rules is already implemented?

[Doug Burks]

grep -i DOS /etc/nsm/rules/downloaded.rules


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Muhd Haziq]

If possible, can i know what is an example of dos command cos i tried to execute a dos command but could not..

do i need to download updates from the internet as for now ?

[Muhd Haziq]

for syn flood dos attack,

i use this snort rule, alert tcp any any -> any any (msg:"TCP SYN flood attack detected"; flow: stateless; flags:S,12; threshold: type threshold, track by_src, count 3, second 1; classtype: attempted-recon; sid:10002; rev1;)

for ur information, i use this dos command to test it out hping3 -S 192.168.1.105 -a 200.0.0.1 -p 22 --flood

[Muhd Haziq]

as stated above, i tried it and the snort looks not detecting giving me error.. is it correct

[Doug Burks]

On Tue, Jun 23, 2015 at 11:28 PM, Muhd Haziq <s961...@gmail.com> wrote:
> as stated above, i tried it and the snort looks not detecting giving me error

What error is it giving you?

[Muhd Haziq]

nothing just that it will not detect. i attack using kali linux hping3 -S 192.168.1.105 -a 200.0.0.1 -p 22 --flood and its ip address 192.168.1.105 to attack a victim comp(ip: 200.0.0.1) both are on diff network. is it correct.

[Doug Burks]

On Thu, Jun 25, 2015 at 9:56 PM, Muhd Haziq <s961...@gmail.com> wrote:
> nothing just that it will not detect. i attack using kali linux hping3 -S 192.168.1.105 -a 200.0.0.1 -p 22 --flood and its ip address 192.168.1.105 to attack a victim comp(ip: 200.0.0.1) both are on diff network. is it correct.

Have you verified that your Security Onion box is actually receiving
this traffic on its sniffing interface?

[Muhd Haziq]

yeah it is able to receive icmp alerts so far?

[Doug Burks]

Your sensor is seeing icmp traffic, but is it seeing traffic on port 22?

In another thread, you mentioned that the sensor was unable to connect
to the master server on port 22. This sounds like you have a firewall
which is blocking port 22 traffic, which might also be blocking this
hping traffic. If that's the case, then your sensor may not be seeing
the hping traffic at all.

On Fri, Jun 26, 2015 at 2:26 AM, Muhd Haziq <s961...@gmail.com> wrote:
> yeah it is able to receive icmp alerts so far?
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[hazi...@hotmail.com]

yeap u are correct sir, sorry for spamming u with questions as i just a newbie to this. i trying to get higher marks to show my teacher.