Collaborate Disseminate
last days I spent a lot of time by installing Security Onion on VMWare Player. The idea was to understand how does IDS in practice works after lot of study.
I followed to the letter the installation VMWare Walk-through guide… Continue reading VMWare + Security Onion + Sguil doesn’t works!
Not sure if this is a simple question but I was hoping for some insight into finishing a pentest lab. My goal is to have Snort sniff an attack in a virtual environment between two guest VM’s. My current setup running on virtu… Continue reading Detecting Guest to Guest Traffic in Virtualbox Using Host Running Snort
I work with snort log file and now I need to extract the TCP header.
My question is: How to log only the TCP header from the packets captured by snort log file (without the payload) using command line in netmap?
Continue reading How to log only the TCP header using command line in snort or nmap?
According to the manual:
reject – block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
I’ve written the following rule:
reject tcp any any … Continue reading Snort reject rule doesn’t drop packet
For example, flow:established is detecting only for packets with sessions connected.
Then, the server is rejecting packets to received after the session is disconnected?
I am trying to troubleshoot a bunch of flowbits generated by pulledpork from snortrules-snapshot-2990.tar.gz.
WARNING: flowbits key ‘file.pdf’ is set but not ever checked.
The line in the generated rules files by pulledpork reads ….
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”FILE-PDF pdf file sent via email”; flow:to_server,established; content:”JVBERi0x”; flowbits:set,email.pdf; flowbits:noalert; metadata:service smtp; classtype:policy-violation; sid:15361; rev:5;)
I am trying to fix it by reverting the direction flow and setting the isset bit.. but I doubt it works I dont understand what the preceding line means
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:”FILE-PDF pdf file sent via email”; flow:from_server,established; content:”JVBERi0x”; flowbits:isset,email.pdf; flowbits:noalert; metadata:service smtp; classtype:policy-violation; sid:15361; rev:5;)
There are many instances from $EXTERNAL_NET any -> $SMTP_SERVERS 25 in the rules file that tracks various file attachments that generates flowbits warnings
I dont have any $SMTP_SERVERS in my internal network specified in snort.conf for protection. Do I need to turn off these warnings
Please shed some light on what the first rule means and how to turn off the error
Any help greatly appreciated. Thankyou.
I am working with commands that have already been tested to work but they aren’t working now.
This is my config file:
alert tcp any any <> any any (msg: “/etc/passwd Payload Found”; content: “/etc/passwd/”; sid: 69;)
… Continue reading Snort generates an alert that is empty
I have been looking around for clues on how to define rules, decoders or preprocessors to be able to content-inspect the TCP Header’s Optional Data ( The last 0-40 bytes of the TCP Header)
TCP Header
Any clues?
Is Snort ev… Continue reading How to inspect TCP Header -> Optional Data with Snort?
I am new to Snort. I don’t know what these rules do.
netbios.rules
p2p.rules
misc.rules
I am performing a test on some DoS attacks and how to detect them. I am currently testing the slowloris tool, but all the signature I have seen online, as very very few as they,do not work even after modifying some parameters… Continue reading Where can I find a snort signature for detecting slowhttp DoS attack from Slowloris tool