Collaborate Disseminate
I’m trying to write a rule to catch a Slow-Loris attack, this is what i have –
alert tcp any any -> any any (msg:”Possible Slow Loris attack”; classtype: denial-of-service; flow: to_server, established; pcre: !”/\x0D\x0A… Continue reading IDS Snort rule to catch Slow-Loris
I am thinking about building a Linux Snort machine that can listen to both WAN and LAN traffic.
Setup I am thinking about:
Snort computer with two NICs
One NIC connected to hub/tap outside firewall (WAN)
One NIC connected to hub/tap insi… Continue reading Can dual NIC Snort machine cause threats to bypass firewall?
I am trying snorts file inspect preprocessor for blocking incoming files from their sha256sums. I am using snort version 2.9.9.0 with daq nfq inline mode any my file_inspect preprocessor configs are shown below:
config file:… Continue reading snort file_inspect signature working inconsistently [on hold]
I am testing portscan with snort. Keeping snort running in Ubuntu virtual machine, I am running nmap from Windows host. Snort detects portscan. But when I run snort over the saved tcpdump of this same traffic it does not dete… Continue reading Portscan detection using snort on tcpdump/trace file
I want to perform intrusion detection. My idea case is to do anomaly based detection. knowing the fact that anomaly detection generates false positives, I am thinking to adopt hybrid approach. can i get a guide how to accomp… Continue reading Hybrid approach toward IDS
I am trying to figure out a way to detect ssh sessions that have been established over a long period of time. I seem to recall that there were ways to detect tcp connections that have been connected for a long time but I do … Continue reading How to detect long lived SSH sessioned
I want to use fortigate for a SIEM correlation rules engine that is based on snort.
I’m looking for log fusion in snort and fortigate.
Is there any mapping between snort & fortigate rules sid?
When I visited the the Snort’s website to download the source code for compilation, I found there were 2 downloads available.
One was titled Snort and another was titled Snort 3.0
Has the development of Snort stopped and t… Continue reading Major differences between Snort and Snort 3.0
I am trying to understand IDS signature, but always run into a roadblock with PCRE. Is anyone aware of a cheatsheet or site that may help with understanding regular expression? I’ve found good PCRE Regex cheetsheets but the syntax in the rules doesn’t aways match. For example I am trying to understand the regex of this rule:
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any ( msg:\”ET
ATTACK_RESPONSE Output of id command from HTTP server\”;
flow:established; content:\”uid=\”; pcre:\”/^\d+[^\r\n\s]+/R\”;
content:\” gid=\”; within:5; pcre:\”/^\d+[^\r\n\s]+/R\”;
content:\” groups=\”; within:8; classtype:bad-unknown; sid:2019284;
tag:session,5,packets; rev:1; )
More specifically, could someone walk me through the PCRE elements?
pcre:\”/^\d+[^\r\n\s]+/R\”
pcre:\”/^\d+[^\r\n\s]+/R\”
Any help would be appreciated.
Thank You!
how can I use snort to breakdown http/https traffic into separate sessions and track each session separately and also dump them into separate log files or something that I can read from.
Continue reading how to use snort to track http/https sessions separately?