Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Snort is a software package used for network intrusion detection.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). It was created by Martin Roesch in 1998.

125 questions
3
votes
4 answers

Snort: Unable to open rules file

This is my first with snort. And I can't get it to run. I followed this tutorial exactly. And I have fedora 21. Here's the output from snort -c /etc/snort/snort.conf -v -i enp0s3: Running in IDS mode --== Initializing Snort ==-- Initializing Output…
MadeOfAir
  • 201
  • 2
  • 3
  • 7
3
votes
2 answers

Snort not sending alert log file to syslog server?

I am set up with three virtual machines running Ubuntu - a Server, Client, and Gateway. I am tasked with setting up Snort on the Gateway to monitor "attacks" from the Client to the Server. Snort is supposed to send the log files to a rsyslog server…
rphello101
  • 95
  • 1
  • 1
  • 8
3
votes
3 answers

Snort Based Firewall

I have not worked with SNORT much or done too much research on this but it sounds possible. If I setup a server and run snort on it. Would it then be possible to route ALL my traffic through it like a firewall to my websites? Would this allow me to…
Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77
3
votes
2 answers

Centos KVM Host OS not passing all network traffic Guest OS

I'm running KVM on Centos 5. I have a guest OS, ubuntu 10.04, that has Snort 2.9 installed on it. The guest OS has (2) nic's, eth0 and eth1. One nic, eth0, is configured with an IP and can be accessed from the network that the host OS is on. The…
user97026
  • 31
  • 1
  • 2
3
votes
5 answers

IDS for Linux?

We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ? And ... does snort have a good web interface ?
nitins
  • 2,527
  • 15
  • 42
  • 65
3
votes
1 answer

Snort configuration: why is RULE_PATH undefined?

I am installing and configuring Snort 3 for the first time on CentOS 8 while following the Snort 3.0.3 on CentOS8 manual from Snort's official documentation (I can't link directly to it as it's dynamically generated PDF that can expire after some…
Eric132
  • 31
  • 3
2
votes
0 answers

Suricata logs "A Network Trojan was detected". Is it false positive?

I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected. All log's properties are in the following: Protocol: 006 Source: Client IP Destination:…
AlirezaK
  • 316
  • 3
  • 20
2
votes
1 answer

Can Suricata be used as an effective IPS on a single server?

I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major companies which say they support products for Ubuntu and…
Christopher Hinkle
  • 36
  • 5
2
votes
1 answer

What is the difference between fail2ban and snort?

I have a server that is exposed to the internet and I would like to provide some protection against DDOS attacks. Currently, I am considering using either fail2ban and/or snort. I know that they have different approaches to how they work. From what…
Andrew Eisenberg
  • 155
  • 1
  • 7
2
votes
0 answers

Snort rules detection

I have a not detection snort rule in pcap. Some pcap files, this rule is detected, some other not. I tried lot of possible options, but no detection. Maybe if someone may help me, it should be good ;-) Here is the rule that is detected on 2 pcap…
marco
  • 33
  • 2
2
votes
1 answer

snort: drop icmp rule doesn't actually drop packets

I installed snort-2.9.7 from sources, and launch as IDS: % snort -devQ -A console -c /etc/snort/snort.conf -i eth0:eth1 Enabling inline operation Running in IDS mode ... The config file is very trivial: # var RULE_PATH rules # Set up the external…
Mark
  • 209
  • 1
  • 4
  • 10
2
votes
2 answers

Linux or Windows based firewall using Snort

I am wondering if anyone can point me to documentation on how to set up a basic Linux or Windows host that receives inbound Internet traffic on eth0, runs it through Snort and then passes the traffic through eth1 to a wireless router. My main…
Scott Davies
  • 403
  • 1
  • 4
  • 9
2
votes
3 answers

Snort not detecting outgoing traffic

I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this: # Entire content of Snort.conf: alert tcp any any -> any any (sid:5000000; content:"_secret_"; msg:"TRIGGERED";) # command line: snort.exe -c…
Reacen
  • 229
  • 2
  • 9
2
votes
0 answers

Configuring Barnyard2 Output Plug-In Per Input Source

I am currently using snort-2.9.3.1 outputting unified2 log format and using barnyard2-1.9 to process the alerts and send them to both syslog and a database. In some cases I have multiple instances of snort running on the same host and would like to…
Scott Pack
  • 14,717
  • 10
  • 51
  • 83
2
votes
1 answer

Tuning Snort Rules: COMMUNITY SIP TCP/IP message flooding directed to SIP proxy

This is a common problem in Snort, but I'm not sure why the rule triggers at all. The rule below comes from the Debian repositories. Apparently it is designed to trigger when there are more than 300 hits on port 5060, and will only alert once…
mgjk
  • 854
  • 3
  • 9
  • 19
1
2
3
8 9