Questions tagged [snort]
Snort is a software package used for network intrusion detection.
129
questions
11
votes
1
answer
3k
views
Snort is receiving traffic, but doesn't appear to be applying rules
I have snort installed and running in inline mode via NFQUEUE on my local (as in I can walk in the next room and touch it) gateway. I have the following rule in my /etc/snort/rules/snort.rules:
alert ...
11
votes
2
answers
2k
views
Snort Performance Monitoring
Using snort version 2.8.6, I am attempting to collect application performance stats such as
Number of packets not processed due to application overload
Percentage of time in processing layers (...
7
votes
3
answers
4k
views
snort analysis of wireshark capture
I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying ...
7
votes
2
answers
10k
views
Why do my Snort logs appear to be empty?
So I was following this guide on how to install Snort, Barnyard 2 and the like.
I've set up Snort so it would run automatically, by editing the rc.local file:
ifconfig eth1 up
/usr/local/snort/bin/...
6
votes
3
answers
3k
views
Modern open source NIDS/HIDS and consoles? [closed]
Years back we set up an IDS solution by placing a tap in front of our exterior firewall, piping all the traffic on our DS1 through an IDS box and then sending the results off to a logging server ...
6
votes
1
answer
38k
views
Snort rules for syn flood / ddos? [duplicate]
Can someone provide me rules to detect following attack :
hping3 -S -p 80 --flood --rand-source [target]
I'm having problem with rules since packet comes from random source.
My current rules is :
...
5
votes
2
answers
2k
views
Updating snort rules automatically
I've been working on getting my snort machine up and running, and working through Snort IDS and IPS Toolkit.
The authors suggest using Oinkmaster, but on that website, the last update was February ...
5
votes
1
answer
3k
views
How can I run a shell script on a snort alert?
I have snort listening to the SPAN port of a cisco switch. I'd like to be able to add an iptables DROP rule on my webserver for specific snort alerts but having a hard time finding out exactly how to ...
5
votes
1
answer
4k
views
Running snort behind iptables
I run a Centos 6.5 server with a highly restrictive iptables ruleset allowing incoming traffic only on a small handful of tcp ports (8 in total) and blocks all incoming unsolicited UDP traffic.
I ...
4
votes
2
answers
3k
views
Is there an appliance-style distribution with web-based configuration for Snort? [closed]
There are some great "appliance" style distributions like pfSense and M0n0wall, that bundle powerful features of their respective operating systems with a nice web application for configuration. In my ...
4
votes
2
answers
15k
views
specifying snort output files?
I'm confused about snort outputs. Where are the output file(s) supposed to be specified?
OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output ...
4
votes
4
answers
2k
views
can Snort be installed on VPS?
I want the maximum security for my linux vps. I found many tutorials round the net but it doesn't cover the Snort. Only those like portentry, logsentry, tripwire and so on.
So I'm beginning to think ...
4
votes
1
answer
4k
views
How do iptables work with NFQ in terms of traffic shaping in snort?
I'm trying to understand how iptables and NFQ work together with snort.
The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there ...
3
votes
5
answers
3k
views
IDS for Linux?
We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ?
And ... does snort have a good web interface ?
3
votes
3
answers
5k
views
Snort Based Firewall
I have not worked with SNORT much or done too much research on this but it sounds possible.
If I setup a server and run snort on it. Would it then be possible to route ALL my traffic through it like ...
3
votes
2
answers
1k
views
is there any real Difference between snort and suricata?
Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule ...
3
votes
2
answers
11k
views
pfSense and Disabling SURICATA UDPv4 invalid checksum
We have a pfSense router running with packet inspection. Our logs are filling up with these requests:
SURICATA UDPv4 invalid checksum
Research shows that we should do the following:
Disable the ...
3
votes
4
answers
31k
views
Snort: Unable to open rules file
This is my first with snort. And I can't get it to run.
I followed this tutorial exactly. And I have fedora 21.
Here's the output from snort -c /etc/snort/snort.conf -v -i enp0s3:
Running in IDS ...
3
votes
2
answers
6k
views
Centos KVM Host OS not passing all network traffic Guest OS
I'm running KVM on Centos 5. I have a guest OS, ubuntu 10.04, that has Snort 2.9 installed on it. The guest OS has (2) nic's, eth0 and eth1. One nic, eth0, is configured with an IP and can be ...
3
votes
2
answers
19k
views
Snort not sending alert log file to syslog server?
I am set up with three virtual machines running Ubuntu - a Server, Client, and Gateway. I am tasked with setting up Snort on the Gateway to monitor "attacks" from the Client to the Server. Snort is ...
3
votes
1
answer
2k
views
Snort configuration: why is RULE_PATH undefined?
I am installing and configuring Snort 3 for the first time on CentOS 8 while following the Snort 3.0.3 on CentOS8 manual from Snort's official documentation (I can't link directly to it as it's ...
2
votes
3
answers
6k
views
Snort not detecting outgoing traffic
I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this:
# Entire content of Snort.conf:
alert tcp any any -> any any (sid:5000000; content:"...
2
votes
1
answer
4k
views
What is the difference between fail2ban and snort?
I have a server that is exposed to the internet and I would like to provide some protection against DDOS attacks. Currently, I am considering using either fail2ban and/or snort. I know that they have ...
2
votes
2
answers
2k
views
Linux or Windows based firewall using Snort
I am wondering if anyone can point me to documentation on how to set up a basic Linux or Windows host that receives inbound Internet traffic on eth0, runs it through Snort and then passes the traffic ...
2
votes
2
answers
5k
views
Custom Rules for Snort
I need to allow certain traffic through which is being blocked by snort eg ICMP from a specific address. How can I do this?
2
votes
1
answer
5k
views
Tuning Snort Rules: COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
This is a common problem in Snort, but I'm not sure why the rule triggers at all.
The rule below comes from the Debian repositories. Apparently it is designed to trigger when there are more than ...
2
votes
1
answer
4k
views
Snort/Barnyard2 Logging
I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my currrent setup.
OS
...
2
votes
1
answer
14k
views
snort: drop icmp rule doesn't actually drop packets
I installed snort-2.9.7 from sources, and launch as IDS:
% snort -devQ -A console -c /etc/snort/snort.conf -i eth0:eth1
Enabling inline operation
Running in IDS mode
...
The config file is very ...
2
votes
1
answer
59
views
POLICY Mozilla Multiple Products HTML href shell attempt - SNORT
We've had a few of these alerts get triggered through Snort:
"POLICY Mozilla Multiple Products HTML href shell attempt"
I'm struggling to find any information pertaining to this alert, does anyone ...
2
votes
1
answer
2k
views
snort not logging full output to syslog
I am able to send snort alerts to my remote syslog server but I am not able to see full alert message; I only see basic information like title, source and destination IP. I am specifically interested ...
2
votes
1
answer
276
views
Are random packets normal?
About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway ...
2
votes
0
answers
2k
views
Suricata logs "A Network Trojan was detected". Is it false positive?
I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected.
All log's properties are in the following:...
2
votes
1
answer
1k
views
Can Suricata be used as an effective IPS on a single server?
I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major ...
2
votes
0
answers
170
views
Snort rules detection
I have a not detection snort rule in pcap.
Some pcap files, this rule is detected, some other not. I tried lot of possible options, but no detection.
Maybe if someone may help me, it should be good ;-)...
2
votes
0
answers
307
views
Configuring Barnyard2 Output Plug-In Per Input Source
I am currently using snort-2.9.3.1 outputting unified2 log format and using barnyard2-1.9 to process the alerts and send them to both syslog and a database. In some cases I have multiple instances of ...
2
votes
0
answers
411
views
Implications of unified2 logging with multiple instances of snort
I am beginning to migrate my snort logging from alert_syslog to unified2 using barnyard2 as the processor. In some cases I have multiple instances of snort running on the same system. Since I have ...
1
vote
2
answers
3k
views
how can a mirror all of the traffic on a network interface, to virtual interface
I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional ...
1
vote
2
answers
5k
views
pfSense and Snort: unexpected portscan traffic on interface
I have a pfSense box acting as my public facing router and stateful firewall.
There is 1 WAN interface and several LAN interfaces using private IPs behind NAT.
I EXPECT to see portscans or all kinds ...
1
vote
3
answers
2k
views
What are some of the commonly used rule actions in snort other than the defaults?
I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by ...
1
vote
2
answers
3k
views
How can I put snort in front of nginx server
I want to prevent attacks to my nginx server. How can I proxy the requests through snort to nginx server.
NFQueue's are a solution.I am able to pass packets to snort using the following rules
sudo ...
1
vote
1
answer
3k
views
Snort IDS on HAproxy with encrypted traffic
Using HAproxy, can I direct traffic to a backend server from all the other backend servers in a pool? From a networking standpoint, it would be comparable to mirroring all ports on a switch to one ...
1
vote
1
answer
598
views
Problems running snort's web frontend
I can't find a good snort web frontend that works properly. I tried base i got so many errors while trying to get it to work:
Warning: include_once(Mail.php) [function.include-once]: failed to open ...
1
vote
1
answer
4k
views
snort3 Undefined variable in the string: HOME_NET
I have installed snort3 on my ubuntu server using this URL from the snort web site:
Snort 3.0.1 on Ubuntu 18 & 20
I have compiled it according to the instructions and edited /usr/local/etc/snort/...
1
vote
1
answer
3k
views
Suspicious DNS query leads to "Intrusion protection alert" on Sophos UTM
A customer Sophos-UTM reports Intrusion protection alert warnings INDICATOR-COMPROMISE suspicious .null dns query:
2019:01:15-11:54:13 utm-ba snort[31619]: id="2101" severity="warn" sys="SecureNet" ...
1
vote
1
answer
2k
views
Snort not sniffing any traffic except it's own
I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother.
Whenever I ping from one of the devices to the Snort-machine, ...
1
vote
1
answer
3k
views
Suricata, Docker, and host networking: No non-docker traffic
I've created a docker container with Suricata and Evebox on it. On my host I start with:
ifconfig enp2s0:1 192.168.0.111 netmask 255.255.255.0 up
This sets up a new interface off my existing one. I ...
1
vote
1
answer
2k
views
Replaying pcap file for Snort
I currently have the following, presumably standard, setup:
I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes ...
1
vote
1
answer
1k
views
Why doesn't Snort match on DNS response?
This is likely a beginner's misunderstanding.
System is: Ubuntu AMD64, 14.04.03 LTS; installed Snort with default configuration.
I am writing a Snort rule that deals with DNS responses. In order to ...
1
vote
1
answer
421
views
Is it possible to use syslog-ng to forward logs to SecurityOnion ELSA?
I have installed Snort IDS and syslog-ng on my VM, and I want to use syslog-ng to forward my logs to another vm which is SecurityOnion. So I want to know can syslog-ng forward logs to ELSA which is in ...
1
vote
2
answers
2k
views
Trouble Starting Snorby / Ruby dependency issue
I am trying to install Snorby on a CentOS 6.6 machine and keep getting an issue with ruby and my Gemfile. I believe I either have to edit my Gemfile or it has something to do with an installation ...