Questions tagged [snort]
Snort is an open source network intrusion detection and prevention system (NIDS/NIPS).
211
questions
1
vote
0
answers
31
views
what snort rules can detect covert channels?
I'm new to snort. I'm trying to set up rules in snort to detect the presence of covert timing channels. Ideally, I would like to use pre-made rules like the snort community rules.
So far, I've found ...
0
votes
0
answers
86
views
Snort content syntax
Is it possible to use the symbols <, /, >, space, in the content option of a Snort rule? Or should I use URL encoding instead?
Which syntax is correct?
content:"%3Cscript%20"
content:&...
0
votes
0
answers
184
views
Snort fails when run as a service
I've got Snort compiled, configured, and running. Only problem I have is that it fails when I try to run it as a service. I've mainly been using the guide from here: https://snort-org-site.s3....
0
votes
1
answer
193
views
Snort rule doesn't match the content in Meterpreter session packet
I'm working on a university project and I'm trying to identify a reverse shell attack with Snort IDS.
For the attack I used Meterpreter/reverse_tcp and analyzed the packets via Wireshark for traces to ...
0
votes
0
answers
78
views
Is it possible to count SYN and ACK flags separately in a single rule in Snort?
I want to write a rule for Snort to detect lost traffic in the network. Is it possible to write a rule that, by combining two flags, SYN and ACK, it declares that if the number of SYNs to the server ...
1
vote
1
answer
173
views
Snort / Suricata rules from HOME_NET with rule option flow:to_client
Reading through Suricata/Snort IDS rules, I can see examples such as below, and scratching my head to understand how is it feasible that a connection from home_network to external_network can have a ...
0
votes
1
answer
328
views
Difference between to_server and from_client in snort
I am trying to wrap my head around the difference between the different flow options in Snort.
There are four directional flow options:
Option Description
1) to_client Trigger on server ...
0
votes
0
answers
1k
views
How to create a snort rule to detect a certain HTTP status code
I am trying to use snort to detect unauthorized HTTP access (wrong credentials or a HTTP status 401 code) by creating snort rules, I tried different combinations of snort options, but none of them ...
2
votes
1
answer
448
views
What is the best way to create a PCAP file containing malicious traffic?
I'm in my last year of university and for my honour's project I am tasked with comparing two intrusion detection systems, snort and suricata, hosted on a virtual machine on my PC.
As I have no access ...
0
votes
0
answers
530
views
How to determine Snort rules source & destination IP and port
How do you figure out Snort's source & destination IP and port if the question is so vague? For example:
Write a snort rule that detects a UK NI number sent from a client's web browser to a web ...
0
votes
0
answers
2k
views
Decrypt mobile phone app TLS/SSL traffic using Wireshark and Fiddler/Charles/MITM Proxy
I currently use fiddler/Charles Proxy/MITM proxy to decrypt and analyze SSL/TLS traffic from suspect mobile apps I want to analyze. The process I follow is to export a CA cert from Fiddler, then ...
0
votes
0
answers
37
views
How to configure Snort 3 to detect nmap's port scanning? [duplicate]
How to configure snort 3 to detect nmap's port scanning? For instance I want to know that an external machine A is looking with nmap for open ports on my machine B.
Such a port scan can include all ...
0
votes
0
answers
838
views
Use sfportscan preprocessor in snort 3
I have not found anywhere how to configure and use sfportscan in snort 3; all documentation I can find is for snort 2. I am aware of this answer, which applies to snort 2.9, and I don't think it helps ...
1
vote
1
answer
519
views
Can an Intrusion Prevention System (e.g. Snort) prevent CSRF and XSS attacks?
I am currently learning about IPS and was wondering about a query that applies to how IPS works. I have knowledge of CSRF and XSS attacks, however I am unsure if Intrusion Prevention Systems can ...
0
votes
0
answers
413
views
Snort does not detect attacks when running in offline mode
When I run Snort on a pcap file (that contains malicious traffic), it does not detect anything.
I uncommented the rules path in Step #7 at snort.conf. Nothing is changed.
How to let Snort detect ...