Collaborate Disseminate
Does Snort have the "automatic protocol detection" function like Suricata? I read that Snort 3 has "Autodetect services for portless configuration" feature. Does it mean that this function is absent in Snort 2? Or they … Continue reading Snort automatic protocol detection
I’m trying to find difference between Zeek and Snort 3. Сan anybody tell me what are the advantages of Zeek against Snort 3?
I’m trying to write a snort rule which detects if certain binary files where requested via HTTP based on a regex rule matching there names.
But it should only send an alert if the file exists (e.g. HTTP 200 OK reply).
Is it possible to ha… Continue reading Snort analyze reply based on request
If I do something like
alert tcp any any <> any any (content:”TestA”; content:”TestB”; sid:1000000; msg:”Syntax correct!”;)
then the syntax is correct, but, what I would like to do is to match either “TestA” or “TestB”. So if I g… Continue reading ids – How do I match any string in a list of snort contents?
I feel like should be an easy way to map between SNORT rules and associated CVEs. I’m aware of their own search function on their site at: https://www.snort.org/rule-docs, but I feel like it’s giving way fewer results than it should. Is th… Continue reading Is there an easy Snort rule to CVE mapping database somewhere?
I am trying to ignore a IP/port for sfportscan. I have tried adding the host this way:
[IP] [port] and [IP]:[port]
But I get this error message:
Invalid ip_list to ‘ignore_scanned’ option
How do we identify false positive from Snort Alert? Can we determine alert with high priority is not a false positive? Or can we say alert with high frequency is a false positive?
snort community lebel is installed in my ubuntu 18.04. It is successfully installed but when I run it with
snort -A console -Q -c /etc/snort/snort.conf -i eth0 -N
then it shows an error message like this
“ERROR: pcap DAQ does not s… Continue reading snort not run in my ubuntu system [closed]
I am new to information security, and am trying to set-up Snort 2.9.15.0.
It seems like on Windows and Linux, that Snort doesn’t generate any default rules at installation. It doesn’t even generate default files, causing the… Continue reading Snort Doesn’t Generate Default Rules
I was wondering if you could add into a snort rule the ability to only alert if the first 3 bytes match. I think I need to edit the content in my current rule content:”|37 e1 a4|”; I can add the full rule if that can help.
… Continue reading Snort Content first 3 bytes the same then create an alert