Brute Force Attack

threshold: type limit

ubuntu

$ alert icmp any any -> ubuntu_ip any (msg: "ICMP Ping Test"; threshold: type limit, track by_dst, count 5, seconds 10; sid: 1000001;)

kali

$ ping -c ubuntu_ip

ubuntu

$ snort -A console -q -u snort -g snort -c /etc/snort/snort.conf

threshold: type threshold

ubuntu

$ alert icmp any any -> ubuntu_ip any (msg: "ICMP Ping Test"; threshold: type threshold, track by_dst, count 5, seconds 10; sid:1000001;)

kali

$ ping -c ubuntu_ip

ubuntu

$ snort -A console -q -u snort -g snort -c /etc/snort/snort.conf

threshold: type both

ubuntu

$ alert icmp any any -> ubuntu_ip any (msg: "ICMP Ping Test"; threshold: type both, track by_dst, count 5, seconds 10; sid:1000001;)

kali

$ ping ubuntu_ip

ubuntu

$ snort -A console -q -u snort -g snort -c /etc/snort/snort.conf

TCP SYN Flooding Attack

ubuntu

$ alert tcp any any -> ubuntu_ip any (msg: "Detect DDoS SYN Flooding"; flags: S; threshold: type threshold; track by_dst, count 5, seconds 10; sid:1000001;)

kali

$ hping3 -S --rand-source ubuntu_ip -p 22 --faster

ubuntu

$ snort -A console -q -u snort -g snort -c /etc/snort/snort.conf