Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [snort]

Snort is a software package used for network intrusion detection.

Snort is a software package used for network intrusion detection.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). It was created by Martin Roesch in 1998.

125 questions
0
votes
3 answers

My snort graphs have no words

I just got Security+ certified and stared to care about my network (or use my newly aquired knowledge to make everything better) I just installed Snort the open source IDS. I am having one issue erything working correctly, but the graphs in BASE…
BLAKE
  • 706
  • 9
  • 25
0
votes
1 answer

Problems with ACID / BASE interface for SNORT IDS on remote host

I've just installed SNORT and ACID/BASE following this step by step tutorial: https://help.ubuntu.com/community/SnortIDS on a remote Debian host over SSH. The main difference being that I have already setup a firewall that fillers all incoming…
Benny
  • 111
  • 3
0
votes
1 answer

snort fedora core x86_64 rules

Does anyone know if where I can download the snort rules for Fedora Core 13 x86_64 not i386, if they even exist? Thanks
aHunter
  • 314
  • 1
  • 6
  • 21
0
votes
3 answers

Extremely Large MySQL Data sets

I'm running Snort in conjunction with MySQL for logging, which is generating ENORMOUS datasets (currently the event table is over 2.5 million, I don't know exactly how much because it only goes up to 2.5 million before it clunks out from using too…
tearman
  • 425
  • 1
  • 6
  • 20
0
votes
2 answers

Where is the location of snort.conf

I've installed Snort, but can't find the snort.conf file in both /ect/ and /usr/local/ (and don't have snort directory in these location as well) Do you know where's the snort.conf My version is 2.8.6
Thang Nguyen
  • 103
  • 1
  • 4
0
votes
2 answers

SPAN/Port mirroring on Linksys switch

I'm trying to deploy a Snort box in my LAN. I have a Linksys SRW248G4 and trying to configure Port mirroring so that Snort can listen everything on the network in promiscuous mode. So in ADMIN / Port Mirroring, I have 3 things: Source Port…
Bastien974
  • 1,824
  • 12
  • 43
  • 61
0
votes
0 answers

Snort: What is the proper way to enable the IPS-Mode?

The Internet is full of instructions on how to install Snort. The result of all the instructions is that Snort works great in default configuration (IDS-Mode = Detect Only). However, I would like Snort not only to detect suspicious traffic, but also…
Gill-Bates
  • 489
  • 5
  • 17
0
votes
0 answers

Maltrail vs. Snort - which runs better?

I have a problem: Snort can run as IDS/IPS and Maltrail can too (in conjunction with fail2ban). I like Maltrail better because it comes with a dashboard and is easier to configure. Do any of you have experience which solution works more reliably?
Gill-Bates
  • 489
  • 5
  • 17
0
votes
2 answers

Snort: How to block suspicious Traffic?

Snort comes by default (Debian) with a bunch of Rules. The are all configured as „Alert“. When I want to block suspicious traffic (IPS-Mode), do I need to change all Rules from Alert to Block or is there another mechanism? What is best practice?
Gill-Bates
  • 489
  • 5
  • 17
0
votes
1 answer

Snort DAQ: which NIC should run in promiscuous mode?

I want to use Snort 2.x as IPS. I have understood, that I need two NICs to capture the traffic (DAQ-Mode). eth0 = my network card to the WAN eth1 = my internal (virtual) NIC for Snort. My current Run-Command: snort -u snort -g snort -c…
Gill-Bates
  • 489
  • 5
  • 17
0
votes
1 answer

What is uid in snort means

I was writing a snort rule for the specific exploit and then came across one solution that details as "uid=0(root)". Can someone explain what is that and why it is mentioned in order to capture the packet containing root content in it.
vigneshwar s
  • 1
0
votes
1 answer

snort3 Undefined variable in the string: HOME_NET

I have installed snort3 on my ubuntu server using this URL from the snort web site: Snort 3.0.1 on Ubuntu 18 & 20 I have compiled it according to the instructions and edited /usr/local/etc/snort/snort.lua to add my HOME_NET and other variables as…
englishPete
  • 123
  • 8
0
votes
1 answer

how can i install Mysql alongside MariaDB without losing my data?

I am trying to install snort, barnyard2 and base that uses Mysql in the same machine where is MISP (platform sharing information) installed and that uses the MariaDB database. I do the following steps : 1- Installing misp with mariaDB database 2-…
switshain
  • 3
  • 1
0
votes
1 answer

Can Snort write logs with the X-Forward-For or X-Real-IP headers instead of the source?

We're using HAProxy as a load balancer at layer 7 so that we can terminate SSL and inspect the traffic with Snort. The problem is that Snort sees the load balancer as the source instead of the original client. We've added X-Forward-For header but…
Brad R
  • 45
  • 5
0
votes
1 answer

Using tc filter together with Snort

I need to add delay to packets after doing some modification using the SNORT inline module. However, I cannot seem to get the packets to match a filter using tc filter ... It always matches the default filter. The commands I am using are stated…
Chamara
  • 1
  • 2
1 2 3
8
9