Some questions about Snort
-
I wrote this rule to test Ping of Death Denial of Service:
alert icmp any any -> any any (msg:"Ping of Death Detected"; dsize:>1000; itype:8; icode:0; detection_filter:track by_src, count 30, seconds 1; sid:2000004; classtype:denial-of-service; rev:3;)And this command to test:
hping3 -i u10000 -1 -d 1200Everything works fine. Snort generated alert and block ip source. But traffic doesn't seem slowing down:
Is it normal? I try to use "drop" action but it doesn't work.
-
Did you activate the Kill states option?
Snort doesn't work in inline_mode, so you can't set the drop or reject option in the rule.
-
yes, i already checked kill state option. Is there any other way to drop or reject packets? Or install snort-inline?
-
Maybe you did the test from an ip in the trusted subnet?
-
I tested on two VMware VM like this with spoof ip address:
LAN Net (10.0.0.0/24) –--- (LAN: 10.0.0.1) pfSense (WAN: 192.168.1.100/24 | GW: 192.168.1.1) ---- Backtrack (192.168.1.3/24)$HOME_NET:
Before I start Snort, traffic like this:
Packet Capture:
After I started Snort, it block the spoof IP:
And traffic like this:
From what I captured, it doesn't generate any packet echo (ping) reply because the spoof ip are blocked. But the incoming traffic still high. Is there any way I can slow it down?