Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Request for CVE Number Information

From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Tue, 12 Mar 2024 14:19:47 +0000
You can do this with Snort 3 but only for raw packets by adding these lines to your config:

    search_engine.detect_raw_tcp = true
    alerts.log_references = true

and running with snort -A full. It will give output like this:

[**] [1:1:0] "message" [**]
[Priority: 0]
06/17-16:01:09.780413 10.1.2.3:10001 -> 10.9.8.7:80
TCP TTL:64 TOS:0x0 ID:3 IpLen:20 DgmLen:249
***A**** Seq: 0x2  Ack: 0x2  Win: 0x8000  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=0000-9999]

All references in the alerting signature will be listed. (The example has a bugus CVE = 0000-9999.)

We'll fix it to work for all alerts using full, csv, and json.

Thanks
Russ

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Mohamed Sayed <mohamed.sayed () invictux com>
Sent: Monday, March 11, 2024 8:31 AM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: [Snort-sigs] Request for CVE Number Information


Hello Snort Team,



I have an important question regarding whether Snort rules can provide the CVE number if an alert is raised from 
detecting malicious patterns or activities. Additionally, I'm curious if there are any settings or features available 
to display related CVEs for these malicious activities, as I will be running this on PCAP files.



Best Regards,

Mohamed Sayed

OT/ICS Cybersecurity Engineer

OT/ICS Services | Invictux



Your Security Is Our Responsibility

[mobilePhone]

+2 01119588936

[emailAddress]

Mohamed.Sayed () Invictux com<mailto:Mohamed.Sayed () Invictux com>

[website]

www.Invictux.com<https://www.invictux.com/>

[address]

Ashgar Darna Compound, Ring Rd, El-Basatin, Cairo .






_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: