Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DDOS attack does not generate alert on snort

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      androse
      last edited by

      Hello guys,

      I have installed my snort on my WAN interface. I have enabled Snort VRT and Emerging Threats ET Open categories in this snort.

      In this WAN interface I have marked in categories "Use IPS Policy" and selected BALANCED. I have also marked all the "emerging Threats" below.

      I have seen several types of alerts, including port scan that I was able to generate alerts by enabling the corresponding preprocess. But, I can not generate ATTACK DOS alerts. I have tested with software like "slowhttptest" and "LOIC", but in both cases no alert appears. Different for example from portscan, which is instant alert after I generate any kind of scan.

      I still do not have much experience with snort, but I believe I'm on the right track. So I would like to leave some doubts here in case anyone can help me.

      1 - How do I enable alerts for DOS / DDOS (brute force) traffic?

      2 - Should I download some more rules to improve alerts? (OpenAppID ??)

      3 - In addition to portscan and attacks, what kind of tools or commands can I use to test the efficiency of my snort?

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        1 - How do I enable alerts for DOS / DDOS (brute force) traffic?

        You already have the ETOpen rule set. It contains a category named emerging-dos.rules, those are the rules you're looking for.

        2 - Should I download some more rules to improve alerts? (OpenAppID ??)

        It depends on what you are trying to protect and from what/whom, how important it is, how much you want to spend, how much time you want to spend. Paid rules are better rules. Just enabling a shit ton of rules is pretty much guaranteed to cause problems. Enable what you think you need, and then monitor your alerts without blocking for a while (some networks need months, others hours). That way you know which rules are generating false positives for you and can disable them.
        TLDR; there's a good chance you don't need more or better rules. You just need to properly implement the ones you already have.

        3 - In addition to portscan and attacks, what kind of tools or commands can I use to test the efficiency of my snort?

        The first tool to use are your logs and alerts before you set your rules to block traffic.

        Here a few others that may interest you (I've no experience with these, just google search return)

        • https://stormsecurity.wordpress.com/2009/03/03/application-layer-ddos-simulator/

        • https://github.com/markus-go/bonesi

        Here's an article that may interest you:
        https://scadasecurity636.wordpress.com/2014/07/04/suricata-dos-rules/

        1 Reply Last reply Reply Quote 0
        • A
          androse
          last edited by

          Thanks a lot, pfBasic. It really opened my eyes on that point. I'll analyze the logs for a while before applying lock.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.