What is the token generated when you create a snort rule that will detect all icmp traffic?
What is the token generated when you create a snort rule that will detect all icmp traffic?
Category Archives: snort
What is the best way to create a PCAP file containing malicious traffic?
I’m in my last year of university and for my honour’s project I am tasked with comparing two intrusion detection systems, snort and suricata, hosted on a virtual machine on my PC.
As I have no access to networking devices such as switches … Continue reading What is the best way to create a PCAP file containing malicious traffic?
How can I find out what rule option "stream-event:pkt_invalid_ack" means in Suricata? [closed]
In our Suricata (version 6.0.4) logs we find many alerts messages like [1:2210045:2] SURICATA STREAM Packet with invalid ack [Classification: Generic Protocol Command Decode].
These come from the following rule:
alert tcp any any -> any… Continue reading How can I find out what rule option "stream-event:pkt_invalid_ack" means in Suricata? [closed]
How to determine Snort rules source & destination IP and port
How do you figure out Snort’s source & destination IP and port if the question is so vague? For example:
Write a snort rule that detects a UK NI number sent from a client’s web browser to a web server.
I understand how to write the reg… Continue reading How to determine Snort rules source & destination IP and port
Decrypt mobile phone app TLS/SSL traffic using Wireshark and Fiddler/Charles/MITM Proxy
I currently use fiddler/Charles Proxy/MITM proxy to decrypt and analyze SSL/TLS traffic from suspect mobile apps I want to analyze. The process I follow is to export a CA cert from Fiddler, then import that cert onto the physical phone. I … Continue reading Decrypt mobile phone app TLS/SSL traffic using Wireshark and Fiddler/Charles/MITM Proxy
How to configure Snort 3 to detect nmap’s port scanning? [duplicate]
How to configure Snort 3 to detect nmap’s port scanning? If port scanning is dectected I want to log it into a log file.
Continue reading How to configure Snort 3 to detect nmap’s port scanning? [duplicate]
How to configure Snort 3 to detect nmap’s port scanning? [duplicate]
How to configure snort 3 to detect nmap’s port scanning? For instance I want to know that an external machine A is looking with nmap for open ports on my machine B.
Such a port scan can include all ports incl. of the services available beh… Continue reading How to configure Snort 3 to detect nmap’s port scanning? [duplicate]
Use sfportscan preprocessor in snort 3
I have not found anywhere how to configure and use sfportscan in snort 3; all documentation I can find is for snort 2. I am aware of this answer, which applies to snort 2.9, and I don’t think it helps me here.
As far as I understood, I nee… Continue reading Use sfportscan preprocessor in snort 3
Can an Intrusion Prevention System (e.g. Snort) prevent CSRF and XSS attacks?
I am currently learning about IPS and was wondering about a query that applies to how IPS works. I have knowledge of CSRF and XSS attacks, however I am unsure if Intrusion Prevention Systems can prevent these attacks as it aims to block in… Continue reading Can an Intrusion Prevention System (e.g. Snort) prevent CSRF and XSS attacks?
Snort does not detect attacks when running in offline mode
When I run Snort on a pcap file (that contains malicious traffic), it does not detect anything.
I uncommented the rules path in Step #7 at snort.conf. Nothing is changed.
How to let Snort detect attacks from test.pcap and generate a log fi… Continue reading Snort does not detect attacks when running in offline mode