Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Snort is a software package used for network intrusion detection.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). It was created by Martin Roesch in 1998.

125 questions
1
vote
0 answers

Snort rule for detecting DNS packets of type NULL

I am trying to detect DNS requests of type NULL using Snort. I located the type field of the request packet using Wireshark: I found the following rule on McAfee: alert udp any any -> any 53 (msg:"NULL request"; content:"|01 00|"; offset:2; within…
arne.z
  • 357
  • 6
  • 24
1
vote
1 answer

Why doesn't Snort match on DNS response?

This is likely a beginner's misunderstanding. System is: Ubuntu AMD64, 14.04.03 LTS; installed Snort with default configuration. I am writing a Snort rule that deals with DNS responses. In order to make sure everything was working I wrote the…
Bridgey
  • 123
  • 5
1
vote
1 answer

Is it possible to use syslog-ng to forward logs to SecurityOnion ELSA?

I have installed Snort IDS and syslog-ng on my VM, and I want to use syslog-ng to forward my logs to another vm which is SecurityOnion. So I want to know can syslog-ng forward logs to ELSA which is in SecurityOnion? Any help would be great. Thank…
technoob
  • 132
  • 1
  • 14
1
vote
2 answers

How can I put snort in front of nginx server

I want to prevent attacks to my nginx server. How can I proxy the requests through snort to nginx server. NFQueue's are a solution.I am able to pass packets to snort using the following rules sudo snort -Q --daq nfq --daq-var --daq-var queue=1 -c…
manu_dilip_shah
  • 119
  • 4
1
vote
2 answers

Trouble Starting Snorby / Ruby dependency issue

I am trying to install Snorby on a CentOS 6.6 machine and keep getting an issue with ruby and my Gemfile. I believe I either have to edit my Gemfile or it has something to do with an installation path. Any help would be much appreciated. bundle…
rubyhelp
  • 11
  • 2
1
vote
1 answer

Snort IDS on HAproxy with encrypted traffic

Using HAproxy, can I direct traffic to a backend server from all the other backend servers in a pool? From a networking standpoint, it would be comparable to mirroring all ports on a switch to one port for inspection. This way I could pass all…
Leonard Pringle
  • 11
  • 1
  • 2
1
vote
1 answer

snort complains on local.rules

I just installed snort-2.9.7.0 on Fedora 20, and am getting error when running: % snort -c /etc/snort/snort.conf --dump-dynamic-rules=/tmp Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing…
Mark
  • 209
  • 1
  • 4
  • 10
1
vote
0 answers

Barnyard2 error on start

Been setting up a snort box with barnyard2, run into the error below. Can someone please help? $Starting Snort Output Processor (barnyard2): ./barnyard2: 35: ./barnyard2: barnyard2: not found /etc/init.d/barnyard2 file #!/bin/sh # # Init file for…
user3329963
  • 163
  • 1
  • 3
  • 9
1
vote
3 answers

How to configure sensor rules in OSSIM

we've recently moved our NIDS installation from StrataGuard to the new OSSIM 2.1 release to take advantage of the additional features (Nagios, ntop, Nessus/OpenVas, etc.) it provides in addition to just Snort. So far, I'm very impressed with OSSIM…
nedm
  • 5,610
  • 5
  • 30
  • 52
1
vote
0 answers

configure frag3 in SNORT

i m trying to test IDS systems on evasion. I have picked up Snort IDS. I have crafted few fragmented packet scenario, and i m sending those fragmented packet to destination address. All these crafted scenarios break RFC rules in some way. So i m…
mgaspar
  • 11
  • 2
1
vote
1 answer

Can IPtables (possibly with libnetfilter_queue library) do everything that snort does?

I have just started getting into network security, firewall, etc. So, please excuse me for asking this basic question. I looked at IPtables and got a good hang of it (nowhere close to becoming an expert) but understand the packet flow, hooks and to…
Sunny
  • 361
  • 1
  • 6
  • 16
1
vote
1 answer

Snort, Portscans and Scanned IP Range field

According to manual.snort.org, TCP Portscans goes from one computer to other one, but when you take a look to an tcp portscan alert in snort/snorby you can see this: In one hand: Source: 136.238.4.165 Dest: 10.19.0.5 On the other…
Txalin
  • 13
  • 3
1
vote
1 answer

Monitor a machine plugged on a mirroring interface

I've read that if I configure port span, I can no longer use that interface to pass normal trafic. However, I'd like to monitor the machine plugged to that interface, with nagios.. Does anyone know a workaround? Thanks
Mordor
  • 7
  • 1
1
vote
2 answers

pfSense and Snort: unexpected portscan traffic on interface

I have a pfSense box acting as my public facing router and stateful firewall. There is 1 WAN interface and several LAN interfaces using private IPs behind NAT. I EXPECT to see portscans or all kinds of things with Snort on the WAN interface. I don't…
user145837
  • 361
  • 5
  • 17
1
vote
1 answer

What class of software should I use to intercept HTTP requests and perform an action

We have inherited an old Web application that needs to be extended with some logging capacities for compliance purposes. Unfortunately, we can't change the application. The application receives XML POST requests. We need to capture several specific…
test1839
  • 23
  • 1
  • 6
1 2 3
8 9