• Support
  • Forums
  • Blogs

OSSIEM don't detect Denial of Service events

NefiscoNefisco

New Life Form
Hi, i'am testing OSSIM with certain DoS tools like Slowloris, Low Orbit Ion Cannon (LOIC) and Siege, my targets are certain hosts with apache and tomcat, so i aim to pots 80 and 8080, with Slowloris the service fall, but the OSSIM NIDS don't get any event during the attack of any tool.

I try to enable all the rules avilables (uncommenting all of they) and don't get nothing but more noise.

At last i try to use the OSSEC HIDS on the hosts to see the applications, apache and tomcat logs, and again don't get nothing, just logs about the files that are changing.

Any suggestion?

thanks in advance.

Share post:

Answers

  • Nefisco,

    If the NIDS plugin is enabled, and network port monitoring is properly configured on the infrastructure/OSSIM, the NIDS rules will detect a variety of scanning behaviors matching Home_Net <> !Home_Net behavior.

    If you are not seeing these alerts, please check the following:

    1- Home_net configuration (motitored networks on sensor / Configured networks on Server UI)
    2 - Promiscuous IP traffic received at monitor port (non-encapsulated traffic for the monitored subnets)
    3 - Suricata enabled in the plugins section on the appropriate sensor
    4 - updates current

Sign In or Register to comment.