Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort as Firewall Check?

From: "Nihal Desai \(nihdesai\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 19 Aug 2019 14:42:22 +0000
Hi - you can definitely configure and run snort to detect and block attacks mentioned below.
Please take a look at snort3 and play around with community rule sets to see if it fits your needs.

https://github.com/snort3/snort3

https://www.snort.org/downloads

--
V/r
Nihal N. Desai

From: Snort-users <snort-users-bounces () lists snort org> on behalf of Dick via Snort-users <snort-users () lists 
snort org>
Reply-To: Dick <bednar.network () gmail com>
Date: Monday, August 19, 2019 at 10:12 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Snort as Firewall Check?


For some time, I have wondered if the firewall log on my router was accurately detecting the various types of internet 
ugliness (Denial of Service, Port Scans, etc.)

It occurred to me that I could set up a machine in the router DMZ and separately monitor internet traffic using 
something like Snort.  The new Raspberry Pi 4 seems like a possible candidate, what with 4GB memory and a true gigabit 
ethernet port.

Before charging down that track, I want to confirm that this is something Snort would be useful for.  Here are some of 
the things the router reports:

[DoS Attack: ACK Scan] from source: 103.38.23.5, port 80, Thursday, August 08, 2019 04:54:39
[DoS Attack: ACK Scan] from source: 13.33.227.116, port 443, Sunday, August 04, 2019 16:50:54
[DoS Attack: ACK Scan] from source: 13.33.231.78, port 443, Tuesday, August 06, 2019 21:16:50
[DoS Attack: SYN/ACK Scan] from source: 104.196.243.253, port 80, Tuesday, August 06, 2019 08:48:23
[DoS Attack: SYN/ACK Scan] from source: 108.187.116.197, port 80, Monday, August 12, 2019 06:57:30
[DoS Attack: SYN/ACK Scan] from source: 108.187.116.197, port 80, Monday, August 12, 2019 14:52:03
[DoS Attack: RST Scan] from source: 104.27.133.183, port 80, Saturday, August 03, 2019 00:41:47
[DoS Attack: RST Scan] from source: 107.77.253.8, port 19092, Friday, August 02, 2019 22:25:50
[DoS Attack: RST Scan] from source: 113.160.23.146, port 56688, Sunday, August 11, 2019 18:56:03
[DoS Attack: TCP/UDP Chargen] from source: 104.152.52.35, port 47986, Monday, August 12, 2019 15:30:18
[DoS Attack: TCP/UDP Chargen] from source: 120.52.152.15, port 55340, Friday, August 09, 2019 03:03:18
[DoS Attack: TCP/UDP Chargen] from source: 120.52.152.17, port 58914, Friday, August 09, 2019 08:15:56
[DoS Attack: TCP/UDP Echo] from source: 104.152.52.35, port 47986, Monday, August 12, 2019 15:35:52
[DoS Attack: TCP/UDP Echo] from source: 136.41.0.79, port 49250, Sunday, August 11, 2019 15:03:22
[DoS Attack: TCP/UDP Echo] from source: 136.41.0.79, port 49250, Sunday, August 11, 2019 15:03:25

Please forgive me if this question is inappropriate.  My internet searches have not turned up information that helps me 
with this decision.





_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: