I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort. sudo apt-get update sudo apt-get install snort I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command. sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following. sudo chown snort.snort alert After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?

Hope this is the right place to ask vs SO, ServerFault, etc. I've searched a lot and can't find anything remotely like this question, ready to be proven a bad searcher. When I build a Ubuntu 22-based Docker container and run bash on it, I can run the command in the container: ip link set dev eth0 promisc on But when I put that into a Dockerfile, I get an error when the command runs during build. **Question is, why is there a difference? And how can I make it work in a Dockerfile?** Build command is: docker build -t firewall . I've tried it with --allow=network.host just for fun, no difference. When I run the built container, I do use --privileged, if that matters. Here's what the error looks like: (image too https://imgur.com/a/SrWcoFZ) => ERROR [23/23] RUN ip link set dev eth0 promisc on ------ > [23/23] RUN ip link set dev eth0 promisc on: 0.200 RTNETLINK answers: Operation not permitted ------ Dockerfile:35 -------------------- 33 | RUN cd snort3-3.1.43.0/build && make install 34 | RUN ldconfig 35 | >>> RUN ip link set dev eth0 promisc on -------------------- ERROR: failed to solve: process "/bin/sh -c ip link set dev eth0 promisc on" did not complete successfully: exit code: 2 Background: I'm trying to run Snort in a Docker container, it's part of building a project for a MS-level security course. One step of installing Snort is setting the network interface to promiscuous, if I understand correctly this lets Snort see all network traffic, regardless of destination. I see this in standard Snort installs, I don't really understand why I care about more than the traffic directly addressed to the container. Maybe this isn't even needed? And in case it matters this is all happening inside a VM based on Ubuntu 24.04, long story short. And I'm building the project in a git repo, at the top level dir, I snipped out the warning about that. **So the bottom line thing I'm not understanding, why is this behaving differently when running it as part of a Docker build vs running it manually in the container once the container is up?** Thanks **UPDATE**: Based on comments I setup an ENTRYPOINT script, but I still have the same problem: RTNETLINK answers: Operation not permitted occurs when I run this container, here's the Dockerfile and startup script: https://github.com/jimlohse/firewallProjectPublic **UPDATE 2** I was being dumb and forgetting to use --privileged when I added the ENTRYPOINT script. Once I started using that flag, it works. Thanks! Accepted the answer, thanks for addressing my conceptual understanding.

I am trying to use the Snort IPS. In order to use it as an inline prevention system I need to make two interfaces and snort will bridge the two to apply its rules as a packet passes through the bridge. My issue however comes when I actually make a bridge between the interfaces. I have to make another virtual interface to bridge with my physical one and I have been using the dummy interface option of the ip command to do this, but I don't know if that's the right way to make a usable virtual interface. However, when I do this and bridge the two outside of snort to test connectivity, I lose all connection to the external network. Here's what Ive tried: sudo ip link add name eth1 type dummy sudo ip link add name br0 type bridge sudo ip link set wlp0s20f3 master br0 sudo ip link set eth1 master br0 After this, I assign them all unclaimed ip addresses and mac addresses then bring them all up sudo ip link set dev eth1 up sudo ip link set dev br0 up Full disclosure, I've never done networking on Linux and will take any assistance you could give, even if I have to do this completely differently.

I am new to using snort and still learning in university. I am wondering after I find an intrusion how can I log it and save it as a pcap file? What would the syntax look like to do this? So I can analyze it further with Wireshark. I am doing what the guy is doing in the video below with two virtual machines. This is for an at home lab. Here is the video, https://youtu.be/iBsGSsbDMyw

I have this configuration:vmware debian11 running snort, vmware kali Linux running nmap that scans ports of Debian 11(real). snort doesn't alert port scanning in this case. instead if I scans ports of vmware Debian 11 running snort, it alerts snort.conf (v.2.9): preprocessor sfportscan: proto { all } \ scan_type { all } \ sense_level { high } \ logfile { alert } \ watch_ip { 192.168.1.8, 192.168.1.23 } vmware machines are in bridge any help? thanks

I am trying to become familiar with Snort, and for this reason, I have set three VMs. A Kali, a windows machine with XAMPP and Ubuntu where I installed Snort. I believe I have Snort running in Afpacket Inline mode. Whenever Snort starts it says " Enabling inline operation-Running in IDS mode" On the windows machine, there is an FTP server running with a user "John" and Pass: 123456. I am attacking the server with Ncrack on Kali, and it is able to find the password in around 2 minutes. I am trying to block the attack and be able to distinguish between a real user (me trying to log in on the host machine) and the attacker. My plan is to make a rule that goes like this: "If the server receives more than 5 attempts to login in 1 second then drop the packet/attempt." I have searched a lot, I have spend a good amount of hours this week not being able to find the correct rule. Do you have any tips? any rules I should try? Am I doing something that wrong? Thanks What I have tried until now: > alert tcp any any -> $HOME_NET 21 (msg:"Incoming FTP connection"; flags:S; sid:10000010;) > #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "Incoming SSH Connection"; GID:1; sid:10000012; rev:001;) > #drop tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login"; nocase; flow:from_server,established; > classtype:bad-unknown; threshold: type both, track by_dst, count 5, > seconds 5; sid:491; rev:5;) > > #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Possible FTP brute force attack"; metadata:service ftp-data; session:binary; > sid:10000011; rev:001;) > > #drop tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute Force Attack Attempt"; content:"530 Login or password incorrect!"; nocase; > flow: stateless; threshold: type both, track by_dst, count 3, seconds > 1; sid:10000012;rev:1;) > > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Incoming Connections"; flags:S; threshold: type both, track by_src, count 3, seconds 1; sid:100000011; rev:1;) > > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER",nocase; > isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; > metadata:policy max-detect-ips drop,ruleset community; > reference:bugtraq,1> > >#drop tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP PASS overflow attempt";flow:to_server,established; content:"PASS",nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop,ruleset community reference:bugtraq,1> > > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ProFTPD username sql injection attempt"; flow:to_server, established; content:"|25 27|",fast_pattern,nocase; content:"USER";pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy max-detect-ips drop; reference:> > #drop tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP login failure"; content: "530 Login "; nocase; flow:from_server,established; threshold: type both,track by_dst,count 10,seconds 15; sid:10000011; ) > #drop tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP login success"; content: "PASS"; nocase; offset:0; depth:4; content: "|0a|" ; > within:3; flow:from_client,established; threshold: type both,track > by_dst,count 10,seconds 15; sid:10000012; ) > > reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg: > "BLEEDING-EDGE-SCAN Potential FTP Brute-Force attempt"; > flow:from_server,established; content:"530 "; pcre: > "/^530\s+(Login|User)/smi"; classtype:unsuccessful-user; threshold: > type threshold,track by_dst, count 5, seconds 30; sid:2002383; rev:3;) > > #alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established; dsize: content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; > classtype:unsuccessful-user; threshold: type both, track by_dst, count 5, seconds 30; reference:url,doc.emergingthreats.net/2002383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force; sid:2002383; rev:11;) Most of the above bring logs, and I think some blocks, but not what I am really looking for.

Checked answers to the similar question. Still not working for me. Current entries in /etc/apt/sources.list:

1. deb http://http.kali.org/kali  kali-rolling main non-free contrib
2. deb http://http.kali.org/kali  kali-last-snapshot main non-free contrib
3. deb-src http://http.kali.org/kali  kali-rolling main non-free contrib

4. deb http://httpredir.debian.org/debian  jessie main
5. deb-src http://httpredir.debian.org/debian  jessie main

and then :

apt-get update 
apt-get install snort

Results in:

root@kalibib:~# apt-get install snort
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package snort

I am having problem with installing snort on Kali. I used the command: sudo apt-get install snort -y but it replies only that unable to locate the package error. I did upgrade, update, edit sources.list and did this one too: sudo rm /var/lib/apt/lists/* -vf then I tried to fix broken with: sudo apt --fix-broken install and then removed unneccesary of 650MB files with: sudo apt-get autoremove and then finally: sudo apt-get update Still same issue however it is only about snort but nothing else. I am not misspelling or anything because I copied the command as well as typed over and over still no result.

I want to test *snort*, so I want to have some test network traffic. Since *snort* can read pcap files, I want to generate some traffics which can be customized and save it to pcap files. Here are my questions: 1. Is it right to test *snort* as I said? 2. Is there a good tool to generate traffic and save it to pcap file? Any suggestions about what I going to do means a lot to me!

I'm running Fedora 22 and just installed snort: sudo dnf install snort When trying to run it I get: $ snort snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory Yet I have the latest version of libdnet and libdnet-devel packages installed: $ locate libdnet /usr/lib64/libdnet.so /usr/lib64/libdnet.so.1 /usr/lib64/libdnet.so.1.0.1 /usr/local/lib/libdnet.so.1.0.1 /usr/share/doc/libdnet /usr/share/doc/libdnet/LICENSE /usr/share/doc/libdnet/README /usr/share/doc/libdnet/THANKS /usr/share/doc/libdnet/TODO I'm not sure what to do from here, does anyone have any suggestions? **Edit** $ rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n" snort snort-2.9.7.3-1.x86_64

I'm running Apache on a server with stateful firewall where new IPv4/IPv6 ingress connections are allowed only to TCP ports 80 and 443. SSH is allowed from few trusted hosts and only certain ICMP/ICMPv6 messages and UDP destination ports 33434 - 33534(traceroute in UDP mode) are allowed from everywhere. Outgoing traffic is not firewalled. Is there a point of running IDS(for example Snort) in such environment on the server? If yes, then what does it mitigate or what additional visibility does it provide?

**PROBLEM:** I have been configuring snort on my systems and would like to get emails from the systems if there are any alerts. What I have tried is swatch but I can't find much documentation on it, can only find very basic and incomplete "how to's sites" and this onnocenter.or.id/wik I created a service with systemd and setup swatch.conf but it's not working: swatchWATCH.service: 1 [Unit] 2 Description=Monitor Logfiles and send Mail reports 3 After=syslog.target network.target 4 5 [Service] 6 Type=simple 7 ExecStart=/usr/bin/swatch --config-file=/home/kristjan/.swatchrc --input-record-separator="\n \n " --tail-file=/var/log/snort/alert --daemon 8 Restart=always 9 #--tail-file=/var/log/auth.log 10 #./swatch -c /usr/local/.swatchrc -input-record-separator="\n \n " -p="tail -f /var/log/snort/alert " -daemon 11 #-c This option specifies the location of the .swatchrc file. 12 # 13 #---input-record-separator With this command-line option you can specify the delimiting boundary for each alert. By default it is the newline character, \n. 14 # 15 #-p This option is used to read information outputted directly from a command. You can use it to monitor the output of a command for specific events. 16 # 17 #-t This option specifies the file to be monitored for security events. 18 # 19 #---daemon Append this switch to enable daemon mode. 20 21 [Install] 22 WantedBy=multi-user.target .swatchrc: 1 watchfor /Priority \:1/ 2 echo=normal 3 mail=myemailATTgmail.com, subject=Snort Security Alert! 4 5 watchfor /Priority \:2/ 6 echo=normal 7 mail=mymailATTgmail.com, subject=Snort Security Alert! 8 9 I have also looked at syslog-ng but same I've only found incomplete how to's and it looks to be very complicated. **SPECS:** My systems are Debian Stretch 9.8 and snort is the from the repositories. I also have logwatch installed and configured on the servers. I send mail on my systems like this: mail -s '"Subject: auth: FAILED su for root\n\n$_\n"' somethingATTgmail.com **QUESTION:** How can I get mail(my servers are set up to send email) notifications from snort(How would you do it?)? Where does snort log alerts(what file)?

I'm following this guide to install snort on my Debian Linux. In step 2 while executing the command 'Make' to build libpcap I'm getting the error 'recipe for target 'pcap-bt-monitor-linux.o' failed' gcc -fpic -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-bt-monitor-linux.c ./pcap-bt-monitor-linux.c:42:28: fatal error: bluetooth/mgmt.h: No such file or directory #include ^ compilation terminated. Makefile:83: recipe for target 'pcap-bt-monitor-linux.o' failed make: *** [pcap-bt-monitor-linux.o] Error 1

I have a snort.rule file, I need to extract cve numbers followed by reference key from the line and append them back in **msg** field of the same line inside flower brackets, below is the old log. >alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference:arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;) Required output is below, bold ones are the new changes, >alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2 **{cve,2012-5958 cve,2012-5959}**"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference: arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;) I am able to extract the CVE numbers, but appending back I am not getting cat /tmp/snort.rule | grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+'

I am trying to find a way to stop port scans or DoS type activities from within the network to external resources so I can reduce the number of abuse complaints. While I know there are numerous tools with iptables or with Snort/Suricata that can allow you to track the # of connections by source OR destination, I haven't figured out a way to do BOTH. For example, it would probably be normal activity if a particular host was making 50 outbound port 80 connections to various hosts on the Internet, but it might not be so if those 50 connections were going to one particular host in a short period of time. Has anyone encountered this issue before and have any suggestions on how to proceed? Thanks!

I am interested in detecting any nmap scans directed on a (my) GNU/Linux host. I would like to use snort in combination with barnyard2 and snorby for this, or if possible to perform a signature-based detection on snort unified2 logs. I noticed a similar packet to the following pops up when performing a nmap -A scan: [ 0] 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 08 00 ................ [ 16] 45 00 00 A2 5C 63 40 00 78 FF 39 03 B9 1E A6 45 E...\c@.x.9....E [ 32] 05 27 08 D3 50 72 69 6F 72 69 74 79 20 43 6F 75 .'..Priority Cou [ 48] 6E 74 3A 20 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E nt: 9.Connection [ 64] 20 43 6F 75 6E 74 3A 20 38 0A 49 50 20 43 6F 75 Count: 8.IP Cou [ 80] 6E 74 3A 20 32 0A 53 63 61 6E 6E 65 72 20 49 50 nt: 2.Scanner IP [ 96] 20 52 61 6E 67 65 3A 20 38 34 2E 32 34 32 2E 37 Range: 84.242.7 [ 112] 36 2E 36 36 3A 31 38 35 2E 33 30 2E 31 36 36 2E 6.66:185.30.166. [ 128] 36 39 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 69.Port/Proto Co [ 144] 75 6E 74 3A 20 31 30 0A 50 6F 72 74 2F 50 72 6F unt: 10.Port/Pro [ 160] 74 6F to What's the packet above? Does it have to do with nmap, solely? (I highly doubt that) Unfortunately snort configured with sfPortscan isn't as effective and/or accurate as I want it to be (Scans are detected but due to some reason I can't see details about it, such as source/destination :: , . I have iptables configured with --hitcount and --seconds which makes "stream5: Reset outside window" pop up, thus I can detect a few scans.). What are my options here?

I have SNORT running on an Ubuntu 18.04 server. I have alerts firing off but the alert logs come through as IP addresses. I have a list of websites the system has visited throughout the day. Is there a way of matching the URLs to the alerts? One way I have thought is doing a domain -> IP translation and then matching the IP and time of visit with the alert log but is there a more accurate way?

I setup snort on Centos server and add as a service. When I use service snortd start command, the log file is created but it is empty. If I use snort -q -l /var/log/snort command, the log file created and filled with logs. What should I do in order to use service snortd start and have the logs work?

I installed snort (currently ver. 2.9.7.0-5) then compiled Barnyard2 Version 2.1.14 (Build 337). At first try with: sudo ./barnyard2 -c ../etc/barnyard2.conf -o /var/log/snort/snort.alert I get Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory). Which is true, /etc/snort/sid-msg.map indeed is missing. I tried with the existing /etc/snort/community-sid-msg.map but then I get: ERROR: [ParseSidMapLine()]: Unknown sidmap file version Am I missing something or what should I do in order to make it work? lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.4 LTS Release: 16.04 Codename: xenial

I have been working to get snort, barnyard2 and pulledpork installed on my Ubuntu machine, and I have the 1st two installed not problem. With pulledpork I cant seem to get past this error message: name@host:~/snort_src/pulledpork-0.7.0$ sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings / 66\_ cummingsj@gmail.com | \ \ _(") \ /-| ||'--' Rules give me wings! Checking latest MD5 for snortrules-snapshot-2980.tar.gz.... Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 463. main::md5file('', 'snortrules-snapshot-2980.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/ ') called at /usr/local/bin/pulledpork.pl line 1847