Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Snort is a software package used for network intrusion detection.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). It was created by Martin Roesch in 1998.

125 questions
1
vote
0 answers

Is Snort able to efficiently demux and log large HTTP POST requests?

I'm trying to debug some failed HTTP POST requests containing large file uploads (~500 MB). The end-user is receiving strange HTTP responses that are not being logged in either varnish's varnishncsa facility, varnish's varnishlog facility, or any of…
Israel Zion Shirk
  • 11
  • 1
1
vote
0 answers

Snort/Barnyard2-1.10 LOG_SYSLOG_FULL Output Logging

With log_syslog_full opertion mode set to complete you get the below output. Can some explain to me what the bold parts are? I have been searching and cannot find any documention explaining the new file output format. | [SNORTIDS[LOG]: [IDS1] ] ||…
Ron
  • 11
  • 1
1
vote
2 answers

how can a mirror all of the traffic on a network interface, to virtual interface

I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional network adapter just to have it listen to the same…
lacrosse1991
  • 1,407
  • 5
  • 19
  • 24
1
vote
3 answers

What are some of the commonly used rule actions in snort other than the defaults?

I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by plugins. However, I would like to have a list of…
Elijah
  • 527
  • 2
  • 7
  • 17
1
vote
2 answers

Snort [PFSense] is configured but not blocking or generating alerts!

I've got PFSense V 2.0-RC1 (i386) and I've got the latest version of Snort installed I've loaded up a bunch of rules from Oinkmaster, I've enabled all of the preprocessors, and I've ensured the service is started. When I let it sit for a while and…
Chase Florell
  • 570
  • 3
  • 14
  • 29
1
vote
1 answer

Snort monitoring of spanning interface

I have configured a Cisco 3500 switch with a port SPAN and have my snort node (fedora 13) plugged into it. I am running snort as a daemon and have configured a rule to log all tcp traffic but I am only seeing traffic with a destination of the snort…
aHunter
  • 314
  • 1
  • 6
  • 21
1
vote
1 answer

Iptables QUEUE Target and Snort

I'm trying to set up a firewall with support for snort, and it is dropping all of my packets when I add the QUEUE target. I've made it like this, but the QUEUE target is not allowing the packets to be processed any further: -A INPUT -p tcp -m tcp…
bradlis7
  • 353
  • 1
  • 5
  • 16
1
vote
1 answer

Can snort output an alert for a portscan (sfPortscan) to syslog?

I've been working on this for too long now. I'm sure the answer should be obvious, but... Snort manual: http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf lists two logging outputs on pg 39 (pg 40 according to Acrobat Reader) as: "Unified…
Jamie McNaught
1
vote
1 answer

unable to get Honeynet Snort Inline Toolkit

I have to deploy a Snort based intrusion prevention system. I am total newbie in this, so any kind of help , references for starters would be highly appreciated. Also snort documentation talks about Honeynet Snort Inline Toolkit, but the available…
Ashish Sharma
  • 233
  • 1
  • 8
1
vote
4 answers

Rsyslog mail module not working

I would like to email snort alerts from my Debian Lenny fw. Syslog is sending log messages from the firewalls to a central rsyslog. On my central rsyslog, I got something like : $ModLoad ommail $ActionMailSMTPServer…
Henry-Nicolas Tourneur
0
votes
1 answer

Ubuntu 18.04 snort protection

Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc. I have 4 questions : How can i block specific ip address , in Snort Detection…
Mehdi bmp
  • 121
  • 3
0
votes
0 answers

Use Snort 2.9 rules for Snort 2.8.6

Unfortunately Snort doesn't release rules update 2.8.6 since 2017. All customer should upgrade to 2.9. But 2.9 is X64 and my OS is Fedora X86. I need to update my Snort 2.8.6 signatures. Is there any source to get update or any solution that convert…
Peeter Johnson
  • 1
0
votes
0 answers

running snort and IGMP v2 flooding

I am not a network guru so please bear with me. I am running snort on a PLC (running rt-linux) along with an application that needs to communicate with another instance of the same application residing on another PLC, via multicast. I have…
awatan
  • 101
  • 4
0
votes
0 answers

Making post alert script for snort

I`m trying to make a script that trigger an action if 5 snort rules ware broken in 24 hours interval. I`m putting all my snort logs in alert.log Can some one help me to make a script that motor this file and do an action (echo for example) if 5 new…
Weiss Willy
  • 1
  • 1
0
votes
1 answer

Any way to save Suricata alert payload?

I've followed some directions for setting up Graylog and Snort (I used Suricata however) here but it would be nice to be able to see what the Alert payload was which generated the event. An application named Snorby used to do this beautifully. You…
Server Fault
  • 3,454
  • 7
  • 48
  • 88
1 2 3
8 9