Stack Overflow
Stack Overflow

Questions tagged [snort]

Snort is a open-source network intrusion detection/prevention system (NIDS/NIPS).

Snort is a open source network intrusion detection/prevention system (NIDS/NIPS) that combines the benefits of signature, protocol, and anomaly-based inspection. Since it has been widely deployed, it has become the de facto standard for IPS.

Snort was created by Marty Roesch in 1998, and it is now developed by Sourcefire with Roesch now CTO. Sourcefire offers a commercial version of Snort but fully supports and embraces the open-source model.

Snort is typically installed on Linux though it's also possible to run it on OS X, Windows and many other operating systems. It can be downloaded in source format or as pre-packaged binaries, as well as being available through most package managers such as Brew, Apt etc

Most folk use a third-party tool such as Snorby, Squert, Base, Sguil (to name but a few) to analyse their Snort logs and alerts. There's a Linux distro, Security Onion, which comes with all these tools installed and so it's an excellent resource for learning about Snort and Network Security Monitoring in general (i.e. making use of Snort).

322 questions
17
votes
6 answers

How to view snort log files

I have been working with snort-IDS. I have got some log files at /var/log/snort. The files are of type snort.log.xxxx. How do i view this file???
M.S Balagopal
  • 247
  • 2
  • 3
  • 6
13
votes
2 answers

Snort/PCRE Regex: odd character class syntax

While I was parsing the Snort regex set I found a very odd character class syntax, like [\x80-t] or [\x01-t\x0B\x0C\x0E-t\x80-t], and I can't figure out (really no clue) what -t means. I don't even know if it's standard PCRE or a sort of Snort…
Simone-Cu
  • 1,109
  • 8
  • 21
12
votes
4 answers

Snort Message - WARNING: No preprocessors configured for policy 0

I have installed and configured snort 2.9.7.2 and it is running without a problem. However, my question is: what does the following warning mean? "No preprocessors configured for policy 0" This message shows when I run the command: snort -v
JG4
  • 131
  • 1
  • 1
  • 3
8
votes
3 answers

Parsing Snort Logs with PyParsing

Having a problem with parsing Snort logs using the pyparsing module. The problem is with separating the Snort log (which has multiline entries, separated by a blank line) and getting pyparsing to parse each entry as a whole chunk, rather than read…
Sam Halicke
  • 194
  • 2
  • 9
6
votes
5 answers

MySQL - Big DELETEs on multiple tables

I have 7 related tables and on one of the tables, there is a timestamp column and I want to delete all rows older than 30 days. However, these are VERY big deletes. I'm talking tens of millions of records. If I delete all these records from the main…
V. Zed
  • 121
  • 9
6
votes
4 answers

Analyzing Bluetooth Low Energy Traffic

While trying to study BLE I am wondering if it is possible to analyse it through tools like Wireshark and snort? I came across one by the name "ubertooth" but that's a USB device which needs to be purchased in order for us to do DPI on BLE frames,…
user3563251
  • 69
  • 1
  • 1
  • 4
5
votes
1 answer

How to Use Snort to detect NMAP default SYN scan?

I saw this with the same question and it comes to this rule : alert tcp any any -> any any (flags:S; msg:"NMAP TCP SYN"; sid: 1231213;) but it is totally wrong, it will alert you on almost anything like a simple HTTP or HTTPS request. I am going…
malloc
  • 604
  • 10
  • 18
5
votes
2 answers

Snort Website Block Rule

Trying to write a snort rule that prevents the system (using its IP) from accessing a specific website, tried this up to now. alert tcp any any <> 'ipaddress' any (content: "web url"; msg: "Access Denied"; react:block; sid:1000005;) Any ideas on…
justinmartin123
  • 51
  • 1
  • 1
  • 2
5
votes
2 answers

including header files in C and compile

I am working with an open source project called snort , which is written in C, under Linux. I opened project in netbeans correctly and now I am going to do some changes in this source code. The src folder of program contains several folders and also…
sajad
  • 2,094
  • 11
  • 32
  • 52
4
votes
2 answers

Snort rules regex matching

I want to generate an event in snort whenever someone visits a URL structured like site/year2015.pdf site/year2014.pdf : : site/year2000.pdf Instead of writing multiple snort rules as more URLs will be added over years I thought of utilizing PERC.…
Babar
  • 1,202
  • 1
  • 12
  • 21
4
votes
1 answer

snort ips rule - reject work but drop and sdrop dont work

i try to run snort as an IPS. so i install snort on ubuntu server via apt-get and config daq_type as afpacket and daq_mode as inline. and 2 interface like eth1:eth2 then i write a rule for test reject tcp any any -> any any (sid: 1000005;) it work…
Thomas Anderson
  • 74
  • 1
  • 1
  • 9
3
votes
1 answer

What does /R mean in snort's pcre rule option?

I'm trying to generate some traces that can trigger snort's alert to test the performance of snort. But there are some pcre options in some rules that contain /R, which I don't understand. For example, there's a pcre option in one snort rule pcre:…
sk_buff
  • 81
  • 7
3
votes
1 answer

Termination issue in pcre

actually I am building rules for my Snort IDS and trying to solve a problem with the Billion Laughs attack. It is nothing else than just recursive call of predefined variables. Snort rules may contain pcre and so i try to build an intelligent rule…
Mischu
  • 65
  • 6
3
votes
1 answer

Packet count in hadoop ( with Mapreduce )

Things has been done : Hadoop installation from the following link: http://www.cloudera.com/content/cloudera/en/documentation/cdh4/v4-2-0/CDH4-Installation-Guide/cdh4ig_topic_4_4.html Installed Hping3 to generate flood requests using: sudo hping3…
Ratan Kumar
  • 1,640
  • 3
  • 25
  • 52
3
votes
3 answers

Execute script on Snort alert

I currently am experimenting with a Raspberry Pi. I am running Snort, which is packet detection software. In the case Snort raises an alert, I would want to execute a (Python) script. Snort is executed, on a raspberry pi as followed: sudo snort -q…
Alex van Rijs
  • 803
  • 5
  • 17
  • 39
1
2 3
21 22