Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Snort is a software package used for network intrusion detection.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). It was created by Martin Roesch in 1998.

125 questions
11
votes
1 answer

Snort is receiving traffic, but doesn't appear to be applying rules

I have snort installed and running in inline mode via NFQUEUE on my local (as in I can walk in the next room and touch it) gateway. I have the following rule in my /etc/snort/rules/snort.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS…
Cliff Armstrong
  • 172
  • 1
  • 11
11
votes
2 answers

Snort Performance Monitoring

Using snort version 2.8.6, I am attempting to collect application performance stats such as Number of packets not processed due to application overload Percentage of time in processing layers (preprocessor, reassembly, pattern matching, etc) Number…
Scott Pack
  • 14,717
  • 10
  • 51
  • 83
7
votes
3 answers

snort analysis of wireshark capture

I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to…
Ben Voigt
  • 473
  • 5
  • 20
6
votes
3 answers

Modern open source NIDS/HIDS and consoles?

Years back we set up an IDS solution by placing a tap in front of our exterior firewall, piping all the traffic on our DS1 through an IDS box and then sending the results off to a logging server running ACiD. This was around 2005-ish. I've been…
MattC
  • 367
  • 1
  • 4
  • 11
6
votes
1 answer

Snort rules for syn flood / ddos?

Can someone provide me rules to detect following attack : hping3 -S -p 80 --flood --rand-source [target] I'm having problem with rules since packet comes from random source. My current rules is : alert tcp !$HOME_NET any -> $HOME_NET 80 (flags:…
NoodleX
  • 183
  • 1
  • 1
  • 6
5
votes
2 answers

Updating snort rules automatically

I've been working on getting my snort machine up and running, and working through Snort IDS and IPS Toolkit. The authors suggest using Oinkmaster, but on that website, the last update was February of 2008. That seems sort of...odd. Maybe there…
Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
5
votes
1 answer

How can I run a shell script on a snort alert?

I have snort listening to the SPAN port of a cisco switch. I'd like to be able to add an iptables DROP rule on my webserver for specific snort alerts but having a hard time finding out exactly how to do that. I'd like the blocking to happen in…
Server Fault
  • 3,454
  • 7
  • 48
  • 88
5
votes
2 answers

Why do my Snort logs appear to be empty?

So I was following this guide on how to install Snort, Barnyard 2 and the like. I've set up Snort so it would run automatically, by editing the rc.local file: ifconfig eth1 up /usr/local/snort/bin/snort -D -u snort -g snort \ -c…
hdr
  • 163
  • 1
  • 2
  • 9
4
votes
1 answer

How do iptables work with NFQ in terms of traffic shaping in snort?

I'm trying to understand how iptables and NFQ work together with snort. The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there essentially firewall rules hence my question as what…
Danny
  • 41
  • 1
  • 4
4
votes
1 answer

Running snort behind iptables

I run a Centos 6.5 server with a highly restrictive iptables ruleset allowing incoming traffic only on a small handful of tcp ports (8 in total) and blocks all incoming unsolicited UDP traffic. I recently built snort 2.9.7.0 from source and am…
Ex Umbris
  • 804
  • 7
  • 24
4
votes
2 answers

specifying snort output files?

I'm confused about snort outputs. Where are the output file(s) supposed to be specified? OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output file specified (snort.log.xx) and am expecting only…
user52874
  • 819
  • 2
  • 10
  • 25
4
votes
2 answers

Is there an appliance-style distribution with web-based configuration for Snort?

There are some great "appliance" style distributions like pfSense and M0n0wall, that bundle powerful features of their respective operating systems with a nice web application for configuration. In my opinion, these distributions cover a majority…
user62491
4
votes
4 answers

can Snort be installed on VPS?

I want the maximum security for my linux vps. I found many tutorials round the net but it doesn't cover the Snort. Only those like portentry, logsentry, tripwire and so on. So I'm beginning to think that Snort is not appropriate for a linux host. I…
jack
3
votes
2 answers

is there any real Difference between snort and suricata?

Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule processing and other how they work is there any…
Jason
  • 3,821
  • 17
  • 65
  • 106
3
votes
2 answers

pfSense and Disabling SURICATA UDPv4 invalid checksum

We have a pfSense router running with packet inspection. Our logs are filling up with these requests: SURICATA UDPv4 invalid checksum Research shows that we should do the following: Disable the stream-events.rules via SID Mgmt. (Yeah, I mean the…
Jason
  • 3,821
  • 17
  • 65
  • 106
1
2 3
8 9