snort – Page 8 – WindowsTechs.com

How to analyze .pcap file to write a generic snort rule to detect c&c activity

Posted on March 6, 2019 by Dtb49

I am diving into snort and trying to figure out what everything does but I’m having a little trouble. I have a .pcap file I want to analyse and I know there is malicious c&c traffic on it. (Practice exercise for an online… Continue reading How to analyze .pcap file to write a generic snort rule to detect c&c activity→

Is there a way to change the format of the output from snort?

Posted on March 6, 2019 by Dtb49

I’m pretty new to snort and don’t know too much about it. I am trying to put together a report of my snort files but, I only want the connections not the entire flows. For example, say I have a few lines like this:

timedate… Continue reading Is there a way to change the format of the output from snort?→

Scripts for converting snort rules to mod_security rules [on hold]

Posted on February 28, 2019 by kst

I have known that there is a perl script that converts snort rules to mod_security rules, but I can’t find it anywhere.

Continue reading Scripts for converting snort rules to mod_security rules [on hold]→

Can Snort be used for monitoring Wireless traffic? [on hold]

Posted on February 16, 2019 by user199765

Can Snort be directly used for monitoring and analyzing wireless traffic?

Continue reading Can Snort be used for monitoring Wireless traffic? [on hold]→

Can an IDS be used for detecting frames (not packets) from an non-authenticated station

Posted on February 16, 2019 by Hrishikesh D Kakkad

Can an IDS, like snort, be used to detect Layer 2 network frames from a system i.e a system is trying to send a frame to the AP and whether Snort can work on the frame based on the rules?

Continue reading Can an IDS be used for detecting frames (not packets) from an non-authenticated station→

Create a snort rule that will alert on traffic on ports 443 & 447

Posted on February 6, 2019 by mkh82

Using the learning platform, the subject is Snort rules.
Question is:

Create a snort rule that will alert on traffic with destination ports 443 and 447.

My attempts:
alert tcp any any -> any 443 447 ( msg:"Sample alert"; si… Continue reading Create a snort rule that will alert on traffic on ports 443 & 447→

How to determine TLS traffic in snort signature

Posted on January 20, 2019 by rekoo

I am trying to have a snort signature that can detect encrypted traffic but I am not able to determine the TLS traffic using a snort signature.

The content keyword search in the payload of the packet, I need to search on the… Continue reading How to determine TLS traffic in snort signature→

Snort rule to detect non-TLS traffic [on hold]

Posted on January 16, 2019 by Rak Oth

I am having trouble creating a snort rule that will allow me to detect unencrypted traffic.

My goal is to detect any unencrypted traffic.

I was thinking to create a rule that if it doesn’t match encrypted traffic TLS, view… Continue reading Snort rule to detect non-TLS traffic [on hold]→

Are these snort alerts false positives or attacks? [closed]

Posted on January 14, 2019 by YOU CHT LEE

Can anyone describe this alert please?

I am confused if an attack is run against my network or not.

I run snort IDS/IPS through a pfsense firewall.

Continue reading Are these snort alerts false positives or attacks? [closed]→

In Snort for Windows, how do I limit log file size, keep that file, and make another file instance

Posted on January 9, 2019 by user194960

I have Snort for Windows.
I am trying to make a log file of say size limit 1MB.
When the log file hits the 1MB maximum, I want it to
close that file (snort.log.1234567890)
and open a new log file instance (snort.log.12345678… Continue reading In Snort for Windows, how do I limit log file size, keep that file, and make another file instance→