Skip to main content
Information Security

Questions tagged [snort]

Ask Question

Snort is an open source network intrusion detection and prevention system (NIDS/NIPS).

211 questions
Newest Active Bountied Unanswered
1 vote
0 answers
31 views

what snort rules can detect covert channels?

I'm new to snort. I'm trying to set up rules in snort to detect the presence of covert timing channels. Ideally, I would like to use pre-made rules like the snort community rules. So far, I've found ...
jaic's user avatar
jaic
  • 11
0 votes
0 answers
86 views

Snort content syntax

Is it possible to use the symbols <, /, >, space, in the content option of a Snort rule? Or should I use URL encoding instead? Which syntax is correct? content:"%3Cscript%20" content:&...
S_I's user avatar
S_I
  • 1
0 votes
0 answers
184 views

Snort fails when run as a service

I've got Snort compiled, configured, and running. Only problem I have is that it fails when I try to run it as a service. I've mainly been using the guide from here: https://snort-org-site.s3....
David Stringham's user avatar
David Stringham
  • 1
0 votes
1 answer
193 views

Snort rule doesn't match the content in Meterpreter session packet

I'm working on a university project and I'm trying to identify a reverse shell attack with Snort IDS. For the attack I used Meterpreter/reverse_tcp and analyzed the packets via Wireshark for traces to ...
Mattia cavaliere's user avatar
Mattia cavaliere
  • 3
0 votes
0 answers
78 views

Is it possible to count SYN and ACK flags separately in a single rule in Snort?

I want to write a rule for Snort to detect lost traffic in the network. Is it possible to write a rule that, by combining two flags, SYN and ACK, it declares that if the number of SYNs to the server ...
user16385455's user avatar
user16385455
  • 9
1 vote
1 answer
173 views

Snort / Suricata rules from HOME_NET with rule option flow:to_client

Reading through Suricata/Snort IDS rules, I can see examples such as below, and scratching my head to understand how is it feasible that a connection from home_network to external_network can have a ...
RGC's user avatar
RGC
  • 11
0 votes
1 answer
328 views

Difference between to_server and from_client in snort

I am trying to wrap my head around the difference between the different flow options in Snort. There are four directional flow options: Option Description 1) to_client Trigger on server ...
Deepak's user avatar
Deepak
  • 103
0 votes
0 answers
1k views

How to create a snort rule to detect a certain HTTP status code

I am trying to use snort to detect unauthorized HTTP access (wrong credentials or a HTTP status 401 code) by creating snort rules, I tried different combinations of snort options, but none of them ...
Sarah Abdulrezzak's user avatar
Sarah Abdulrezzak
  • 1
2 votes
1 answer
448 views

What is the best way to create a PCAP file containing malicious traffic?

I'm in my last year of university and for my honour's project I am tasked with comparing two intrusion detection systems, snort and suricata, hosted on a virtual machine on my PC. As I have no access ...
Conor's user avatar
Conor
  • 21
0 votes
0 answers
530 views

How to determine Snort rules source & destination IP and port

How do you figure out Snort's source & destination IP and port if the question is so vague? For example: Write a snort rule that detects a UK NI number sent from a client's web browser to a web ...
Elaine's user avatar
Elaine
  • 1
0 votes
0 answers
2k views

Decrypt mobile phone app TLS/SSL traffic using Wireshark and Fiddler/Charles/MITM Proxy

I currently use fiddler/Charles Proxy/MITM proxy to decrypt and analyze SSL/TLS traffic from suspect mobile apps I want to analyze. The process I follow is to export a CA cert from Fiddler, then ...
IM3CPO's user avatar
IM3CPO
  • 1
0 votes
0 answers
37 views

How to configure Snort 3 to detect nmap's port scanning? [duplicate]

How to configure snort 3 to detect nmap's port scanning? For instance I want to know that an external machine A is looking with nmap for open ports on my machine B. Such a port scan can include all ...
Dawid's user avatar
Dawid
  • 101
0 votes
0 answers
838 views

Use sfportscan preprocessor in snort 3

I have not found anywhere how to configure and use sfportscan in snort 3; all documentation I can find is for snort 2. I am aware of this answer, which applies to snort 2.9, and I don't think it helps ...
mneumann's user avatar
mneumann
  • 101
1 vote
1 answer
519 views

Can an Intrusion Prevention System (e.g. Snort) prevent CSRF and XSS attacks?

I am currently learning about IPS and was wondering about a query that applies to how IPS works. I have knowledge of CSRF and XSS attacks, however I am unsure if Intrusion Prevention Systems can ...
dwayne_d11's user avatar
dwayne_d11
  • 23
0 votes
0 answers
413 views

Snort does not detect attacks when running in offline mode

When I run Snort on a pcap file (that contains malicious traffic), it does not detect anything. I uncommented the rules path in Step #7 at snort.conf. Nothing is changed. How to let Snort detect ...
Mimi's user avatar
Mimi
  • 1

15 30 50 per page
1
2 3 4 5
15