• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DDOS attack does not generate alert on snort

Scheduled Pinned Locked Moved IDS/IPS
3 Posts 2 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    androse
    last edited by Mar 11, 2017, 4:26 AM

    Hello guys,

    I have installed my snort on my WAN interface. I have enabled Snort VRT and Emerging Threats ET Open categories in this snort.

    In this WAN interface I have marked in categories "Use IPS Policy" and selected BALANCED. I have also marked all the "emerging Threats" below.

    I have seen several types of alerts, including port scan that I was able to generate alerts by enabling the corresponding preprocess. But, I can not generate ATTACK DOS alerts. I have tested with software like "slowhttptest" and "LOIC", but in both cases no alert appears. Different for example from portscan, which is instant alert after I generate any kind of scan.

    I still do not have much experience with snort, but I believe I'm on the right track. So I would like to leave some doubts here in case anyone can help me.

    1 - How do I enable alerts for DOS / DDOS (brute force) traffic?

    2 - Should I download some more rules to improve alerts? (OpenAppID ??)

    3 - In addition to portscan and attacks, what kind of tools or commands can I use to test the efficiency of my snort?

    1 Reply Last reply Reply Quote 0
    • P
      pfBasic Banned
      last edited by Mar 11, 2017, 7:51 AM

      1 - How do I enable alerts for DOS / DDOS (brute force) traffic?

      You already have the ETOpen rule set. It contains a category named emerging-dos.rules, those are the rules you're looking for.

      2 - Should I download some more rules to improve alerts? (OpenAppID ??)

      It depends on what you are trying to protect and from what/whom, how important it is, how much you want to spend, how much time you want to spend. Paid rules are better rules. Just enabling a shit ton of rules is pretty much guaranteed to cause problems. Enable what you think you need, and then monitor your alerts without blocking for a while (some networks need months, others hours). That way you know which rules are generating false positives for you and can disable them.
      TLDR; there's a good chance you don't need more or better rules. You just need to properly implement the ones you already have.

      3 - In addition to portscan and attacks, what kind of tools or commands can I use to test the efficiency of my snort?

      The first tool to use are your logs and alerts before you set your rules to block traffic.

      Here a few others that may interest you (I've no experience with these, just google search return)

      • https://stormsecurity.wordpress.com/2009/03/03/application-layer-ddos-simulator/

      • https://github.com/markus-go/bonesi

      Here's an article that may interest you:
      https://scadasecurity636.wordpress.com/2014/07/04/suricata-dos-rules/

      1 Reply Last reply Reply Quote 0
      • A
        androse
        last edited by Mar 11, 2017, 1:31 PM

        Thanks a lot, pfBasic. It really opened my eyes on that point. I'll analyze the logs for a while before applying lock.

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received