successful dos attack

[Balla István <balla.bmf () gmail com>]

hey guys,

recently i launched a dos attack which was successful against an ssh server
(it killed the service). I set the preproc and detection rules for ssh and
dos attacks to drop. I used loic and set to simulate 1000 users. I wonder
why it was successful since snort detected the event and relevant rule is
drop.

*(Event)
    sensor id: 0    event id: 451    event second: 1368138414    event
microsecond: 535870
    sig id: 4    gen id: 128    revision: 1     classification: 25
    priority: 2    ip source: 209.100.10.2    ip destination: 10.10.10.2
    src port: 64380    dest port: 22    protocol: 6    impact_flag: 32
blocked: 1

Packet
    sensor id: 0    event id: 451    event second: 1368138414
    packet second: 1368138414    packet microsecond: 535870
    linktype: 1    packet_length: 86
[    0] CA 01 0E 20 00 1C CA 00 0E 20 00 08 08 00 45 00  ... ..... ....E.
[   16] 00 48 55 9E 40 00 7F 06 B6 9F D1 64 0A 02 0A 0A  .HU.@......d....
[   32] 0A 02 FB 7C 00 16 D9 5D 08 01 BF FA 92 2E 50 18  ...|...]......P.*

I attach the capture file caught on the attacked host.

Attachment: dos_ssh.pcap
Description:

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!