Snort mailing list archives

Re: Hello Snort Team

From: Russ <rucombs () cisco com>
Date: Sun, 21 May 2017 18:47:34 -0400

Snort++ would be great for your situation.  You can use the latest 2.X 
rules and convert them with snort2lua (provided with Snort++) to 3.0 format.

On 5/21/17 3:13 PM, Joel Esler (jesler) wrote:

We'd love people to test it out.  We don't have rules for it yet, but we are getting there.

--
Sent from my iPhone

On May 21, 2017, at 15:10, J Doe <general () nativemethods com> wrote:

On May 21, 2017, at 2:58 PM, Joel Esler (jesler) <jesler () cisco com> wrote:

Technically, http can be on any port. So, you can either use openappid to identify services instead of ports, or 
Snort3, which is service aware by default, but has no ruleset yet.

We've added that many ports to HTTP_PORTS as we've seen exploit activity in the wild over those ports.

Hi,

Good point - I hadn't considered HTTP/S traffic from exploits.

I will definitely be looking into Open AppID - I skipped that portion of the manual (which I will rectify a second 
time around!).  I will use that for my 2.9.9.x install of Snort.

I'd really like to move to Snort 3 for the support of Lua rules (I am currently using Lua with the ModSec WAF and I 
love it), and for the refactored code in C++ (C++ is one of the languages I am familiar with).  I've been following 
its' progress - currently at alpha 4, a recent push to patch some security vulnerabilities detected and the Talos 
blog that says a beta is scheduled around summer.

I was wondering - would it be stable enough to run on my low volume web host ?  It is not a mission critical server 
and I'd like to work with Snort 3 as the code base develops.

Thanks,

- J

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Hello Snort Team Paul Trimby (May 21)
- Re: Hello Snort Team rmkml (May 21)
- Re: Hello Snort Team wkitty42 (May 21)
  - Re: Hello Snort Team J Doe (May 21)
    - Re: Hello Snort Team Joel Esler (jesler) (May 21)
    - Re: Hello Snort Team J Doe (May 21)
    - Re: Hello Snort Team Joel Esler (jesler) (May 21)
    - Re: Hello Snort Team J Doe (May 21)
    - Re: Hello Snort Team Joel Esler (jesler) (May 21)
    - Re: Hello Snort Team Russ (May 21)
    - Re: Hello Snort Team J Doe (May 21)