Snort mailing list archives
Re: Snort 3.0 is not detecting shell code attacks
From: João Pedro via Snort-users <snort-users () lists snort org>
Date: Mon, 17 Jun 2019 10:30:24 +0000
I send those files enclosed in this email. It's possible to check now my problem easily. I run this command every time I want to test Snort: * snort -r myfile.pcapng -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules -A alert_json > alerts.json I'm expecting the rule "1394" and "648" to be triggered, but is not working... In .pcap file is possible to see buffer overflow attacks tested by me (e.g. check the filter "tcp.dstport==50096 or tcp.dstport==50098"). What is the problem? Às 02:26 de 17/06/19, Russ Combs (rucombs) escreveu: Please send pcap, rules, config so we can help you out. On 6/16/19, 7:39 PM, "Snort-users on behalf of João Pedro via Snort-users" <snort-users-bounces () lists snort org on behalf of snort-users () lists snort org><mailto:snort-users-bounces@lists.snort.orgonbehalfofsnort-users () lists snort org> wrote: I'm testing snort 3.0 with Community rules. Besides triggering alerts from port scans, it is not detecting Buffer Overflow attacks (.i.e. made with Metasploit). Is there a problem with the current rules in Snort 3.0? Should I activate/config something else? Ps: I'm testing Snort from .pcap files _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 16)
- <Possible follow-ups>
- Re: Snort 3.0 is not detecting shell code attacks Russ Combs (rucombs) via Snort-users (Jun 16)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Russ Combs (rucombs) via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 18)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 18)
- Message not available
- Re: Snort 3.0 is not detecting shell code attacks Chankit Dureja (Jun 19)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 17)