Snort mailing list archives

why UDP disc acquire?

From: Andrey Kiryukhin <andrei_1980 () mail ru>
Date: Fri, 24 Jun 2016 18:06:48 +0300

Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see
attach) .  It contain only udp packets.
I wrote test rule: 

alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
attempted-dos; sid:1000001; rev:1;)

and run snort:

snort  -c ./etc/snort.conf -A console -K none  -k none  -r
./pcaps/DOS_Nbisakmp.pcap

and get no alerts. In output stats i have: 

...........
Packet I/O Totals:
   Received:          100
   Analyzed:          100 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
.....................

Breakdown by protocol (includes rebuilt packets):
        Eth:          100 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          100 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:          100 (100.000%)
...................
* UDP Disc:          100 (100.000%)*
  ICMP Disc:            0 (  0.000%)
All Discard:          100 (100.000%)

(full output and snort.conf see in attach)


If i change rule  (udp to ip)  :

alert *ip* any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
attempted-dos; sid:1000001; rev:1;)
all packets generate alerts. 


So, why UDP packets in sample pcap discarded if i use udp protocol in alert?

Attachment: DOS_Nbisakmp.pcap
Description:

Attachment: out.log
Description:

Attachment: snort.conf
Description:

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)
  - Re: why UDP disc acquire? Andrey Kiryukhin (Jun 24)
    - Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)
    - Re: why UDP disc acquire? Andrey Kiryukhin (Jun 25)
    - Re: why UDP disc acquire? wkitty42 (Jun 25)
    - Re: why UDP disc acquire? Andrey Kiryukhin (Jun 25)
    - Re: why UDP disc acquire? Al Lewis (allewi) (Jun 25)
    - Re: why UDP disc acquire? Al Lewis (allewi) (Jun 25)