Snort Analyser
First select your Wireshark trace:
Trace name: /log/tear.zip
Snort Output
Click here for the Pcap file. The Snort output is:
alert.ids: [**] [1:270:6] DOS Teardrop attack [**] [Priority: 0] 09/09-04:11:26.616090 10.1.1.1 -> 129.111.30.27 UDP TTL:64 TOS:0x0 ID:242 IpLen:20 DgmLen:56 MF Frag Offset: 0x0000 Frag Size: 0x0024 |
Rules file
alert udp any any -> any any (msg:"DOS Teardrop attack"; fragbits:M; id:242 ; sid:270; rev:6;)
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.