Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » DDOS rule not firing

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

DDOS rule not firing


Posted by Hippie on March 24, 2005 05:17:05

If anyone is familiar with it, the Lincoln Laboratory at MIT has released several sets of
traffic data simulating the phases building up to, and including, a DDOS attack. I am
trying to have Snort analyze this data in order to analyze Snort's output. All goes mostly
well; I can see all the alerts firing that lead up to the attack, but I never get the *actual*
DDOS alert firing. I am including, among others, the DDOS rules file in my snort.conf.

Further, just to be sure, I looked up the DDOS alert I'm trying to get and placed that exact
rule into the DDOS.rules file... still no go. I'm at a loss here. Anyone with ideas??

Posted by Hippie on March 24, 2005 05:22:12

Forgot to place the URL for the Lincoln Labs data...


http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html

Posted by novowels on March 26, 2005 12:19:59

what is the rule you placed in the ddos.rules file?

Posted by Hippie on March 28, 2005 05:03:19

"DDOS Shaft Client to Handler"

http://www.snort.org/pub-bin/sigs.cgi?sid=230

I know I plucked it from the snort.org site but that was before they changed it completely. Seems the new Snort site doesn't put up the actual rule anymore?????? Unfortunately, I've tried other attempts at this problem and, in the process, wiped out the old rule set I had. A little bit of research turns up this thing though:

alert TCP $EXTERNAL any -> $INTERNAL 20432 (msg: "IDS254/ddos_ddos-shaft-client-to-handler"; flags: A+; classtype: system-success; reference: arachnids,254;)


But I thought about something since I made this post... Currently, my HOME_NET is set to "any" (I'm painfully new to Snort), and I was thinking that this may be part of the issue. The data sets I'm using are such that there is an inside network connected to the outside world via a DMZ and it is in the DMZ that the DDOS attack takes place. Do I need to do a little editing on my Snort.conf to maybe sharpen this down a little?

And thanks a bunch for your help.

Posted by idontknow on April 01, 2005 17:34:50

try sniffing the traffic with ethereal or tcpdump and then creating your own signature based on the traffic.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.