[Oisf-users] lots of UDP packet to small in fast.log
Andreas Herz
andi at geekosphere.org
Mon Nov 9 12:54:48 UTC 2015
On 08/11/15 at 22:31, John Brown wrote:
> Hi,
>
> just installed Suricata and I'm noticing that it's logging
>
> 11/09/2015-05:25:14.685678 [**] [1:2200038:1] SURICATA UDP packet too
> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
> -> 42.XX.XX.94:0
> 11/09/2015-05:25:14.694036 [**] [1:2200038:1] SURICATA UDP packet too
> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
> -> 42.XX.XX.94:0
> 11/09/2015-05:25:15.249368 [**] [1:2200038:1] SURICATA UDP packet too
> small [**] [Classification: (null)] [Priority: 3] {UDP} 24.XX.XX.226:0
> -> 42.XX.XX.94:0
>
> when I TCP dump these, the are DNS packets that are part of an
> amplification attack.
>
> 1. How do I tune suricata to track these properly ?
What do you have in mind with "tune properly"?
It's just a rule from decode-events that triggers.
So anything special you want to achieve?
> 2. Are there rules available that will alert on a DNS Amp attack?
What rules do you already use?
Do you have a tool with which we could test the attack and see if maybe
Emerging Threats rules detect it?
> Many thanks for help and pointers.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Andreas Herz
More information about the Oisf-users
mailing list