Skip to main content

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Filter by
Sorted by
Tagged with
11 votes
1 answer
3k views

Snort is receiving traffic, but doesn't appear to be applying rules

I have snort installed and running in inline mode via NFQUEUE on my local (as in I can walk in the next room and touch it) gateway. I have the following rule in my /etc/snort/rules/snort.rules: alert ...
Cliff Armstrong's user avatar
11 votes
2 answers
2k views

Snort Performance Monitoring

Using snort version 2.8.6, I am attempting to collect application performance stats such as Number of packets not processed due to application overload Percentage of time in processing layers (...
Scott Pack's user avatar
7 votes
3 answers
4k views

snort analysis of wireshark capture

I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying ...
Ben Voigt's user avatar
  • 472
7 votes
2 answers
10k views

Why do my Snort logs appear to be empty?

So I was following this guide on how to install Snort, Barnyard 2 and the like. I've set up Snort so it would run automatically, by editing the rc.local file: ifconfig eth1 up /usr/local/snort/bin/...
hdr's user avatar
  • 193
6 votes
3 answers
3k views

Modern open source NIDS/HIDS and consoles? [closed]

Years back we set up an IDS solution by placing a tap in front of our exterior firewall, piping all the traffic on our DS1 through an IDS box and then sending the results off to a logging server ...
MattC's user avatar
  • 377
6 votes
1 answer
38k views

Snort rules for syn flood / ddos? [duplicate]

Can someone provide me rules to detect following attack : hping3 -S -p 80 --flood --rand-source [target] I'm having problem with rules since packet comes from random source. My current rules is : ...
NoodleX's user avatar
  • 183
5 votes
2 answers
2k views

Updating snort rules automatically

I've been working on getting my snort machine up and running, and working through Snort IDS and IPS Toolkit. The authors suggest using Oinkmaster, but on that website, the last update was February ...
Matt Simmons's user avatar
  • 20.5k
5 votes
1 answer
3k views

How can I run a shell script on a snort alert?

I have snort listening to the SPAN port of a cisco switch. I'd like to be able to add an iptables DROP rule on my webserver for specific snort alerts but having a hard time finding out exactly how to ...
Server Fault's user avatar
  • 3,804
5 votes
1 answer
4k views

Running snort behind iptables

I run a Centos 6.5 server with a highly restrictive iptables ruleset allowing incoming traffic only on a small handful of tcp ports (8 in total) and blocks all incoming unsolicited UDP traffic. I ...
Ex Umbris's user avatar
  • 864
4 votes
2 answers
3k views

Is there an appliance-style distribution with web-based configuration for Snort? [closed]

There are some great "appliance" style distributions like pfSense and M0n0wall, that bundle powerful features of their respective operating systems with a nice web application for configuration. In my ...
user avatar
4 votes
2 answers
15k views

specifying snort output files?

I'm confused about snort outputs. Where are the output file(s) supposed to be specified? OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output ...
user52874's user avatar
  • 829
4 votes
4 answers
2k views

can Snort be installed on VPS?

I want the maximum security for my linux vps. I found many tutorials round the net but it doesn't cover the Snort. Only those like portentry, logsentry, tripwire and so on. So I'm beginning to think ...
user avatar
4 votes
1 answer
4k views

How do iptables work with NFQ in terms of traffic shaping in snort?

I'm trying to understand how iptables and NFQ work together with snort. The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there ...
Danny 's user avatar
  • 41
3 votes
5 answers
3k views

IDS for Linux?

We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ? And ... does snort have a good web interface ?
nitin's user avatar
  • 2,589
3 votes
3 answers
5k views

Snort Based Firewall

I have not worked with SNORT much or done too much research on this but it sounds possible. If I setup a server and run snort on it. Would it then be possible to route ALL my traffic through it like ...
Tiffany Walker's user avatar
3 votes
2 answers
1k views

is there any real Difference between snort and suricata?

Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule ...
Jason's user avatar
  • 3,941
3 votes
2 answers
11k views

pfSense and Disabling SURICATA UDPv4 invalid checksum

We have a pfSense router running with packet inspection. Our logs are filling up with these requests: SURICATA UDPv4 invalid checksum Research shows that we should do the following: Disable the ...
Jason's user avatar
  • 3,941
3 votes
4 answers
31k views

Snort: Unable to open rules file

This is my first with snort. And I can't get it to run. I followed this tutorial exactly. And I have fedora 21. Here's the output from snort -c /etc/snort/snort.conf -v -i enp0s3: Running in IDS ...
MadeOfAir's user avatar
  • 201
3 votes
2 answers
6k views

Centos KVM Host OS not passing all network traffic Guest OS

I'm running KVM on Centos 5. I have a guest OS, ubuntu 10.04, that has Snort 2.9 installed on it. The guest OS has (2) nic's, eth0 and eth1. One nic, eth0, is configured with an IP and can be ...
user97026's user avatar
3 votes
2 answers
19k views

Snort not sending alert log file to syslog server?

I am set up with three virtual machines running Ubuntu - a Server, Client, and Gateway. I am tasked with setting up Snort on the Gateway to monitor "attacks" from the Client to the Server. Snort is ...
rphello101's user avatar
3 votes
1 answer
2k views

Snort configuration: why is RULE_PATH undefined?

I am installing and configuring Snort 3 for the first time on CentOS 8 while following the Snort 3.0.3 on CentOS8 manual from Snort's official documentation (I can't link directly to it as it's ...
Eric132's user avatar
  • 31
2 votes
3 answers
6k views

Snort not detecting outgoing traffic

I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this: # Entire content of Snort.conf: alert tcp any any -> any any (sid:5000000; content:"...
Reacen's user avatar
  • 229
2 votes
1 answer
4k views

What is the difference between fail2ban and snort?

I have a server that is exposed to the internet and I would like to provide some protection against DDOS attacks. Currently, I am considering using either fail2ban and/or snort. I know that they have ...
Andrew Eisenberg's user avatar
2 votes
2 answers
2k views

Linux or Windows based firewall using Snort

I am wondering if anyone can point me to documentation on how to set up a basic Linux or Windows host that receives inbound Internet traffic on eth0, runs it through Snort and then passes the traffic ...
Scott Davies's user avatar
2 votes
2 answers
5k views

Custom Rules for Snort

I need to allow certain traffic through which is being blocked by snort eg ICMP from a specific address. How can I do this?
keyoke's user avatar
  • 297
2 votes
1 answer
5k views

Tuning Snort Rules: COMMUNITY SIP TCP/IP message flooding directed to SIP proxy

This is a common problem in Snort, but I'm not sure why the rule triggers at all. The rule below comes from the Debian repositories. Apparently it is designed to trigger when there are more than ...
mgjk's user avatar
  • 904
2 votes
1 answer
4k views

Snort/Barnyard2 Logging

I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my currrent setup. OS ...
Eric's user avatar
  • 1,393
2 votes
1 answer
14k views

snort: drop icmp rule doesn't actually drop packets

I installed snort-2.9.7 from sources, and launch as IDS: % snort -devQ -A console -c /etc/snort/snort.conf -i eth0:eth1 Enabling inline operation Running in IDS mode ... The config file is very ...
Mark's user avatar
  • 259
2 votes
1 answer
59 views

POLICY Mozilla Multiple Products HTML href shell attempt - SNORT

We've had a few of these alerts get triggered through Snort: "POLICY Mozilla Multiple Products HTML href shell attempt" I'm struggling to find any information pertaining to this alert, does anyone ...
mbuk2k's user avatar
  • 139
2 votes
1 answer
2k views

snort not logging full output to syslog

I am able to send snort alerts to my remote syslog server but I am not able to see full alert message; I only see basic information like title, source and destination IP. I am specifically interested ...
user100807's user avatar
2 votes
1 answer
276 views

Are random packets normal?

About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway ...
TheLQ's user avatar
  • 1,003
2 votes
0 answers
2k views

Suricata logs "A Network Trojan was detected". Is it false positive?

I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected. All log's properties are in the following:...
Arani's user avatar
  • 338
2 votes
1 answer
1k views

Can Suricata be used as an effective IPS on a single server?

I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major ...
Christopher Hinkle's user avatar
2 votes
0 answers
170 views

Snort rules detection

I have a not detection snort rule in pcap. Some pcap files, this rule is detected, some other not. I tried lot of possible options, but no detection. Maybe if someone may help me, it should be good ;-)...
marco's user avatar
  • 33
2 votes
0 answers
307 views

Configuring Barnyard2 Output Plug-In Per Input Source

I am currently using snort-2.9.3.1 outputting unified2 log format and using barnyard2-1.9 to process the alerts and send them to both syslog and a database. In some cases I have multiple instances of ...
Scott Pack's user avatar
2 votes
0 answers
411 views

Implications of unified2 logging with multiple instances of snort

I am beginning to migrate my snort logging from alert_syslog to unified2 using barnyard2 as the processor. In some cases I have multiple instances of snort running on the same system. Since I have ...
Scott Pack's user avatar
1 vote
2 answers
3k views

how can a mirror all of the traffic on a network interface, to virtual interface

I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional ...
lacrosse1991's user avatar
  • 1,457
1 vote
2 answers
5k views

pfSense and Snort: unexpected portscan traffic on interface

I have a pfSense box acting as my public facing router and stateful firewall. There is 1 WAN interface and several LAN interfaces using private IPs behind NAT. I EXPECT to see portscans or all kinds ...
user145837's user avatar
1 vote
3 answers
2k views

What are some of the commonly used rule actions in snort other than the defaults?

I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by ...
Elijah's user avatar
  • 547
1 vote
2 answers
3k views

How can I put snort in front of nginx server

I want to prevent attacks to my nginx server. How can I proxy the requests through snort to nginx server. NFQueue's are a solution.I am able to pass packets to snort using the following rules sudo ...
manu_dilip_shah's user avatar
1 vote
1 answer
3k views

Snort IDS on HAproxy with encrypted traffic

Using HAproxy, can I direct traffic to a backend server from all the other backend servers in a pool? From a networking standpoint, it would be comparable to mirroring all ports on a switch to one ...
Leonard Pringle's user avatar
1 vote
1 answer
598 views

Problems running snort's web frontend

I can't find a good snort web frontend that works properly. I tried base i got so many errors while trying to get it to work: Warning: include_once(Mail.php) [function.include-once]: failed to open ...
alexus's user avatar
  • 13.5k
1 vote
1 answer
4k views

snort3 Undefined variable in the string: HOME_NET

I have installed snort3 on my ubuntu server using this URL from the snort web site: Snort 3.0.1 on Ubuntu 18 & 20 I have compiled it according to the instructions and edited /usr/local/etc/snort/...
englishPete's user avatar
1 vote
1 answer
3k views

Suspicious DNS query leads to "Intrusion protection alert" on Sophos UTM

A customer Sophos-UTM reports Intrusion protection alert warnings INDICATOR-COMPROMISE suspicious .null dns query: 2019:01:15-11:54:13 utm-ba snort[31619]: id="2101" severity="warn" sys="SecureNet" ...
marsh-wiggle's user avatar
  • 2,195
1 vote
1 answer
2k views

Snort not sniffing any traffic except it's own

I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother. Whenever I ping from one of the devices to the Snort-machine, ...
Sander Willems's user avatar
1 vote
1 answer
3k views

Suricata, Docker, and host networking: No non-docker traffic

I've created a docker container with Suricata and Evebox on it. On my host I start with: ifconfig enp2s0:1 192.168.0.111 netmask 255.255.255.0 up This sets up a new interface off my existing one. I ...
Fmstrat's user avatar
  • 237
1 vote
1 answer
2k views

Replaying pcap file for Snort

I currently have the following, presumably standard, setup: I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes ...
Roper's user avatar
  • 121
1 vote
1 answer
1k views

Why doesn't Snort match on DNS response?

This is likely a beginner's misunderstanding. System is: Ubuntu AMD64, 14.04.03 LTS; installed Snort with default configuration. I am writing a Snort rule that deals with DNS responses. In order to ...
Bridgey's user avatar
  • 131
1 vote
1 answer
421 views

Is it possible to use syslog-ng to forward logs to SecurityOnion ELSA?

I have installed Snort IDS and syslog-ng on my VM, and I want to use syslog-ng to forward my logs to another vm which is SecurityOnion. So I want to know can syslog-ng forward logs to ELSA which is in ...
technoob's user avatar
  • 142
1 vote
2 answers
2k views

Trouble Starting Snorby / Ruby dependency issue

I am trying to install Snorby on a CentOS 6.6 machine and keep getting an issue with ruby and my Gemfile. I believe I either have to edit my Gemfile or it has something to do with an installation ...
rubyhelp's user avatar