[Oisf-users] dataset testing

Nelson, Cooper cnelson at ucsd.edu
Tue Mar 26 19:13:18 UTC 2019

DoS attacks mean different things, in different contexts, on different networks.  So you really need to write them yourself and tag them as LOCAL.

Here is an example of one I wrote to detect UDP floods on port 80 outbound.

alert udp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"LOCAL DOS UDP port 80 flood outbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:4;)


From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Brano Kramár
Sent: Tuesday, March 26, 2019 2:44 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] dataset testing

Hi, I want to use suricata as IDS in my network. Firstly I decided to try it in offline mode on existing datasets. I am using ET open rules now. After enabling all rules with priority 1 or 2, Suricata wasn`t able to detect all DoS attacks in dataset created by https://www.unb.ca/cic/datasets/ids-2017.html
Dataset from wednesday should contain different DoS attacks, but Suricata generated only 3 alerts. Did I make any mistake in configuration? Is Suricata and ET open rules able to detect DoS attacks?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190326/a9c0c0c4/attachment.html>

More information about the Oisf-users mailing list