Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Snort is a software package used for network intrusion detection.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). It was created by Martin Roesch in 1998.

125 questions
2
votes
1 answer

POLICY Mozilla Multiple Products HTML href shell attempt - SNORT

We've had a few of these alerts get triggered through Snort: "POLICY Mozilla Multiple Products HTML href shell attempt" I'm struggling to find any information pertaining to this alert, does anyone have any idea what it could mean? Thanks in advance
mbuk2k
  • 139
  • 1
  • 2
  • 9
2
votes
1 answer

Snort/Barnyard2 Logging

I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my currrent setup. OS Scientific Linux 6 Snort Version 2.9.2.3 Barnyard2…
Eric
  • 1,373
  • 3
  • 17
  • 33
2
votes
0 answers

Implications of unified2 logging with multiple instances of snort

I am beginning to migrate my snort logging from alert_syslog to unified2 using barnyard2 as the processor. In some cases I have multiple instances of snort running on the same system. Since I have historically used syslog, it handled the multiple…
Scott Pack
  • 14,717
  • 10
  • 51
  • 83
2
votes
1 answer

snort not logging full output to syslog

I am able to send snort alerts to my remote syslog server but I am not able to see full alert message; I only see basic information like title, source and destination IP. I am specifically interested in receiving XREF (CVE, bugtraq etc) field. I am…
user100807
  • 21
  • 2
2
votes
2 answers

Custom Rules for Snort

I need to allow certain traffic through which is being blocked by snort eg ICMP from a specific address. How can I do this?
keyoke
  • 277
  • 1
  • 4
  • 12
2
votes
1 answer

Are random packets normal?

About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway which comes with Snort and SnortSam. I enabled…
TheLQ
  • 973
  • 4
  • 14
  • 31
1
vote
1 answer

Problems running snort's web frontend

I can't find a good snort web frontend that works properly. I tried base i got so many errors while trying to get it to work: Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in…
alexus
  • 12,342
  • 27
  • 115
  • 173
1
vote
0 answers

Suricata: Error opening file threshold.config

I use Suricata 4.0.5 (an open source IDPS) on windows server 2012. It raises the below error when I run it, however, it runs. Error opening file threshold.config I searched for this error and find these links: Suricata can't start due to…
AlirezaK
  • 316
  • 3
  • 20
1
vote
1 answer

Suspicious DNS query leads to "Intrusion protection alert" on Sophos UTM

A customer Sophos-UTM reports Intrusion protection alert warnings INDICATOR-COMPROMISE suspicious .null dns query: 2019:01:15-11:54:13 utm-ba snort[31619]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert"…
marsh-wiggle
  • 2,075
  • 4
  • 26
  • 44
1
vote
0 answers

Snort for Windows - how to get payload info out to log file, for later analysis?

I am running Snort v2.9.12 for Windows. I am getting (via -d option) payload information on console, but it is not going out to the Snort log file. I am only getting the header information. I modify the configuration file (\etc\snort.conf) in the…
user194960
  • 11
  • 2
1
vote
1 answer

Snort not sniffing any traffic except it's own

I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother. Whenever I ping from one of the devices to the Snort-machine, Snort notices it and sends an alert. However, when…
Sander Willems
  • 13
  • 3
1
vote
0 answers

Snort not dropping packets

as we want to protect our network from malicious traffic we think about setting up snort on our routers. For test reasons I built a system to replicate the network architecture consisting of my host machine and two VMs. Host is in network…
Dero
  • 75
  • 1
  • 14
1
vote
1 answer

Suricata, Docker, and host networking: No non-docker traffic

I've created a docker container with Suricata and Evebox on it. On my host I start with: ifconfig enp2s0:1 192.168.0.111 netmask 255.255.255.0 up This sets up a new interface off my existing one. I then run the docker container like so: docker run…
Fmstrat
  • 237
  • 4
  • 14
1
vote
1 answer

How to set Suricata to log only DNS queries that come from specific IP addresses?

I am new to working with IDS' such as Suricata/Snort. I am currently trying to using Suricata to log DNS requests and responses to malicious domains on my network. On my DNS server I made it so that any request to say, bad.com, would resolve to…
Ahad Sheriff
  • 133
  • 9
1
vote
1 answer

Replaying pcap file for Snort

I currently have the following, presumably standard, setup: I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes the traffic to a database for Snorby. Snort and…
Roper
  • 121
  • 3
1 2
3
8 9