how to know if snort detects syn flood attacks since snort alert is not logging any thing

Asma picture Asma · Sep 13, 2014 · Viewed 18.1k times · Source

 I have snort running on Centos as IDS.  I am trying to test if snort can detect the syn flood attack. I am sending the attack from the same LAN network. I added this rule in local.rules alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 70, seconds 10; sid:10001;rev:1;). Snort alert file is not logging when I run snort in fast  mode. It was logging but now it is not . So I cannot see if it detects the attack or not . How can I make snort detects this attack ?

Answer

johnjg12 picture johnjg12 · Oct 10, 2014

For starters, the keyword threshold is deprecated and will not be supported in a future release. You should use the keyword "detection_filter" instead (reference).

You need to make sure that hosts initiating the syn flood are not hosts contained within your $HOME_NET variable, otherwise you need to change the source IP to be either "any" or $HOME_NET (if they are in the $HOME_NET). This also depends on your syn flood attack. Are you using multiple source hosts to syn flood the destination host, or are you using one source host to syn flood the destination? This will make a difference. If you have multiple source hosts, you need to track by destination (you will probably want to track by destination either way for this). If you are initiating the syn flood from a single host, then you can track by source.
The rate for detection_filter is tracked either by source IP address or destination IP address. This means count is maintained for each unique source IP address or each unique destination IP address. So if your syn flood has multiple source IPs you need to use track by_dst to track the amount of syns that are going to the single destination. Example:

alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter: track by_dst, count 70, seconds 10;)

This rule will alert on every syn to a unique IP in $HOME_NET during one sampling period of 10 seconds, after the first 70 syns. Writing a rule like this can cause problems as you need to know what the normal amount of connections are. Do you expect your webserver to get more than 70 connections in 10 seconds? If so then you would need to increase the count or decrease the seconds.

If your syn flood attack has a unique source generating multiple syns to a destination IP in $HOME_NET, you can track by_src:

alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter: track by_src, count 70, seconds 10;)

This rule will fire on every syn from a unique IP to a unique IP in $HOME_NET during one sampling period of 10 seconds, after the first 70 syns.
Example: host 10.1.1.1 sends 83 syns in 10 seconds to host 10.1.1.2, the last 13 of those syns would be alerted on.

I would say you would want to track by destination because it will cover both scenarios (single or multiple source IPs). You want a rule to simply limit the amount of connections to your webserver, so you will track the connections to the destination and drop them after a certain threshold is reached to protect your server from being overwhelmed. syn floods typical randomize the source IP, so if you were tracking by source it would not prevent a syn flood.