[Snort-openappid] 4th year student trying to use snort in their project

Daniel T daniel92374 at gmail.com
Fri Mar 9 07:02:37 EST 2018


Shane,

I'm not sure you're going to find what you want with snort.

Snort is, at its core, a pattern matching software. Meaning you'd have to
have rules to look for specific strings inside of the network traffic.

This would become difficult if the traffic is going over HTTPS.

In answer to your questions:

1. Yes, but it need to be monitored while the download is happening.

2. To my knowledge snort only monitors network traffic. It does not look at
file paths. You would need a tool like Yara for that.

3. Snort will look at all network traffic and apply actions to anything
that matches a rule in your rule list.

4. Back to point 2. Snort monitors network traffic only (PCAP is the
exception to that. You can run snort against a PCAP).

You're probably better off looking into using Yara for scanning local
files, however this still runs on a rule list, meaning you'd need to know
what you want to look for first.

Your other option which might be easier is to write a script that takes a
hash of every file you download and uploads that hash to something like
Virustotal or Filecheck.io. This won't give you automated blocking but it
will at least tell you if that file is known malicious or not.

On Fri, Mar 9, 2018, 04:35 Shane Corridon via Snort-openappid <
snort-openappid at lists.snort.org> wrote:

> Hi All,
>
>
>
> I am a 4th year I.T Management student in Cork Institute of Technology. I
> am currently working on my Final year project. I am building an automated
> open source software analyser and vulnerability detector. I wish to use
> snort to analysis open source software that is downloaded from the web by
> users. I am unsure how to use snort to analysis software downloads without
> installing them on the machine.
>
>
> The flow of my application is firstly a user downloads any free online
> software, this will then be analysed using snort and lastly the download
> will either be blocked or marked safe to use.
>
>
>
> I need to use snort to examine the software source code and give a result
> on whether or not the software is safe for the user to use.
>
>
>
> Can you tell me:
>
>    1. Is it possible to use snort to examine software downloads which
>    have not yet been installed on the machine?
>    2. what file paths is snort monitoring for executable software
>    applications
>    3. how does snort know what to analysis. is it looking for the file
>    extension such as .exe?
>    4. If the software downloads need to be installed before snort can
>    scan them, then can I use a script to move the downloads into the
>    appropriate paths so snort can analyse the download without it being
>    installed?
>
> Any help is greatly appreciated!
>
>
>
> Best Regards
> Shane
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180309/ff1d30c8/attachment.html>


More information about the Snort-openappid mailing list