Snort mailing list archives
Re: I am going to install Snort IDS binaries on all Windows client and server operating systems
From: Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com>
Date: Fri, 2 Nov 2018 09:23:04 +0000
Good afternoon from Singapore, I was wrong. The instructions for installing osquery for Windows are here: https://osquery.readthedocs.io/en/stable/installation/install-windows/ First, you need to install Chocolatey package manager for Windows: https://chocolatey.org/install Then you install osquery for Windows using the instructions here: https://chocolatey.org/packages/osquery/ The actual command is as follows: choco install osquery --params='/InstallService' And then you follow the final instructions here: https://osquery.readthedocs.io/en/stable/installation/install-windows/ I already have osquery for Windows installed on my work laptop. But no events in Event Viewer\Applications and Services Logs\Facebook\osquery yet. ________________________________ From: Turritopsis Dohrnii Teo En Ming Sent: Friday, November 2, 2018 3:40 PM To: Wei Chea Ang Cc: snort-users () lists snort org; Turritopsis Dohrnii Teo En Ming Subject: Re: [Snort-users] I am going to install Snort IDS binaries on all Windows client and server operating systems Good afternoon from Singapore Wei Chea, Thank you very much for the useful information which you have provided! I found Sysmon v8.0 (System Monitor) at https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon I found it to be an extremely useful tool. In particular, one of the capabilities of Sysmon is: The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status. It will be exceedingly useful for me to trace which Windows process is downloading executable files from Content Delivery Network (CDN) web servers 103.1.138.x Port 80, thus triggering Snort Intrusion Detection System (IDS) alerts "A Network Trojan was Detected". I think I am going to find the Windows process responsible for this! I am going to install Sysmon using the following commands: sysmon -accepteula -i -l -n Is there anything wrong with the above installation commands? I also found osquery at https://osquery.io/. Is it the one you are talking about? Unfortunately, there is no documentation on how to install and use it, which makes it a poorly documented software product. ________________________________ From: Wei Chea Ang <weichea () gmail com> Sent: Thursday, November 1, 2018 5:13 PM To: Turritopsis Dohrnii Teo En Ming Cc: snort-users () lists snort org Subject: Re: [Snort-users] I am going to install Snort IDS binaries on all Windows client and server operating systems Snort is probably not the best tool for your purpose. You should look at host based tool like sysmon, osquery etc to perform further investigation on the alert triggers from snort. Regards, Wei Chea On Thu, Nov 1, 2018, 15:33 Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com<mailto:turritopsis.dohrnii () teo-en-ming com> wrote: Good afternoon from Singapore, A few years ago Snort binaries for Windows were not even offered on the official Snort.org website. This morning I was rather surprised to see Snort_2_9_12_Installer.exe (Snort installer for Windows) on the official Snort.org website. I am going to install Snort Intrusion Detection System (IDS) on all Windows client and server operating systems after Snort on my pfSense network security appliance detected Trojans in my computer network. There are Snort Setup Guides for Windows on the winsnort.com<http://winsnort.com> website. I hope the installation process is not going to be time consuming on every Windows operating system. This will be a boon considering that I already have Snort Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) on my pfSense network security appliance. ===BEGIN SIGNATURE=== Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 [1] https://tdtemcerts.wordpress.com/ [2] http://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming ===END SIGNATURE=== _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- I am going to install Snort IDS binaries on all Windows client and server operating systems Turritopsis Dohrnii Teo En Ming (Nov 01)
- Re: I am going to install Snort IDS binaries on all Windows client and server operating systems Wei Chea Ang via Snort-users (Nov 01)
- Re: I am going to install Snort IDS binaries on all Windows client and server operating systems Turritopsis Dohrnii Teo En Ming (Nov 02)
- Re: I am going to install Snort IDS binaries on all Windows client and server operating systems Turritopsis Dohrnii Teo En Ming (Nov 02)
- Re: I am going to install Snort IDS binaries on all Windows client and server operating systems Turritopsis Dohrnii Teo En Ming (Nov 02)
- Re: I am going to install Snort IDS binaries on all Windows client and server operating systems Wei Chea Ang via Snort-users (Nov 01)