Collaborate Disseminate
I saw on the snort manual an setting for the Session global processor called flush_on_alert that I’m interested in. However, when I tried to edit snort.conf to add the setting, I recieved an error upon running snort.
ERROR: /etc/snort/snor… Continue reading Snort 2.9.16 Session config flush_on_alert too many parameters error
My friend told me that NIDS like Snort are an important part of a security configuration, but to me it seems like an anti-virus program. Should security be had via correctness (such as auditing software for buffer overflows, and using stat… Continue reading Are programs like snort like an anti-virus, or is it something a security professional would use [closed]
I’m new to snort. I’m trying to set up rules in snort to detect the presence of covert timing channels. Ideally, I would like to use pre-made rules like the snort community rules.
So far, I’ve found the snort community ruleset and the emer… Continue reading what snort rules can detect covert channels?
I have a FortiWeb appliance and I have the following algorithm:
IF THREAT_LEVEL == ‘CRITICAL’ THEN
$STORED_BANNED_SRC_IP = $SRC_IP
banned_IP($SRC_IP)
AND after 30 minutes I want to unbanned $src_ip
UNBANNDED_IP($STORED_BANNED_S… Continue reading Implementation banned IP in FortiWeb [closed]
I am learning Snort rules and faced difficulties with the following excercise.
Give examples of requests which bypass the following rule.
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection Attempt"; … Continue reading How to bypass the Snort rule?
I’ve got Snort compiled, configured, and running. Only problem I have is that it fails when I try to run it as a service. I’ve mainly been using the guide from here: https://snort-org-site.s3.amazonaws.com/production/document_files/files/0… Continue reading Snort fails when run as a service
I’m working on a university project and I’m trying to identify a reverse shell attack with Snort IDS.
For the attack I used Meterpreter/reverse_tcp and analyzed the packets via Wireshark for traces to use in Snort rules.
I managed to find … Continue reading Snort rule doesn’t match the content in Meterpreter session packet
I want to write a rule for Snort to detect lost traffic in the network. Is it possible to write a rule that, by combining two flags, SYN and ACK, it declares that if the number of SYNs to the server exceeds a certain number, but at the sam… Continue reading Is it possible to count SYN and ACK flags separately in a single rule in Snort?
Some repositories have a set of Snort rules that cover a wide range of possible attacks.
Is it reasonable to use this set of rules (with a large number of rules) for a network and does it not significantly reduce performance (In this way, … Continue reading What is the effect of the number of snort rules on performance? [closed]
Reading through Suricata/Snort IDS rules, I can see examples such as below, and scratching my head to understand how is it feasible that a connection from home_network to external_network can have a flow direction to_client? I thought:
ho… Continue reading Snort / Suricata rules from HOME_NET with rule option flow:to_client