Collaborate Disseminate
I’m using SecurityOnion distro and I would to run snort on my pcap files. Is there a way to specify just one rule? I couldn’t understand whether local.rules is used.
How can I show only the result of my rules instead of sta… Continue reading How use snort with local.rules in offline mode?
I am new to SNORT and can not figure out what the following rule means:
alert tcp $EXTERNAL_NET any-> $HOME_NET any (msg:”SCAN FIN”; flags: F;
reference:arachnids,27;
I need to give a presentation regarding Snort and Security Auditing. I have recently learned to configure Snort as a NIDS.
I want to know is there any way I can configure Snort as an HIDS? If I am updating variable HOME_NET to my IP, it’ll… Continue reading Can Snort be configured as HIDS?
I have written this rule but when I try to reload Snort it is failing. I have commented out the rule and reloaded snort; it is working so I know it’s the rule.
alert tcp any any -> any 5466 (msg:"FTP command execution";
flow:… Continue reading Problem with my Snort rule
I have a pcap file, and what I wanted to know is how can I apply the Snortrule below which I’ve already written within the rules folder in my log folder:
alert icmp any any -> any any (msg:”TCP Packet”; sid:477; rev:3;)
I have recently installed the Security Onion distro for Ubuntu.
This distro does a great job of combining multiple tools like snort/Suricata, Sguil, Snorby, Elsa, bro ids, Squert, etc. Within my Security Onion the installati… Continue reading Security Onion: Snorby alerts show all local network source IP (public and private)
I realize there is already a question similar to this one, but this is somewhat of a follow-up.
I understand that a reverse proxy server by itself is hardly useful as a web app security measure because it just kind of “hides” the server b… Continue reading Open source or common implementations for reverse proxy web application security
I just noticed my snort rules fired today on this, on a brand new ossim server I was testing.
“shellcode x86 inc ebx noo” on with the source ip from Canada. Why might a brand new server, behind a firewall and a NAT router, se… Continue reading Snort rules question [closed]
I just noticed my snort rules fired today on this, on a brand new ossim server I was testing.
“shellcode x86 inc ebx noo” on with the source ip from Canada. Why might a brand new server, behind a firewall and a NAT router, se… Continue reading Snort rules question [closed]
What is the easiest way to test Snort IDS after installing? Would using and writing a rule that captures all of the traffic work?
alert ip any any -> any any ( msg: “ICMP packet detected!”; sid: 1; )
That is, using its… Continue reading Testing Snort IDS installation