[Snort-openappid] 4th year student trying to use snort in their project
shane.corridon at mycit.ie
Fri Mar 9 08:37:25 EST 2018
I really appreciate your feedback. I am in a bit over my head with this and
its too late to make any drastic changes to my project.
I think you are right that I should create a script to upload the file to
an online file checker and if it passes let the user install the content.
But then after it is installed I could run snort across there network to
verify nothing has changed after they have installed the software.
Is there snort rules that would facilitate this? so a rule to scan a users
pc/network before softwrae is installed and then rescan the network after
the install has finished and display a result of weather there has been any
changes or not?
Thanks so much
On 9 March 2018 at 12:02, Daniel T <daniel92374 at gmail.com> wrote:
> I'm not sure you're going to find what you want with snort.
> Snort is, at its core, a pattern matching software. Meaning you'd have to
> have rules to look for specific strings inside of the network traffic.
> This would become difficult if the traffic is going over HTTPS.
> In answer to your questions:
> 1. Yes, but it need to be monitored while the download is happening.
> 2. To my knowledge snort only monitors network traffic. It does not look
> at file paths. You would need a tool like Yara for that.
> 3. Snort will look at all network traffic and apply actions to anything
> that matches a rule in your rule list.
> 4. Back to point 2. Snort monitors network traffic only (PCAP is the
> exception to that. You can run snort against a PCAP).
> You're probably better off looking into using Yara for scanning local
> files, however this still runs on a rule list, meaning you'd need to know
> what you want to look for first.
> Your other option which might be easier is to write a script that takes a
> hash of every file you download and uploads that hash to something like
> Virustotal or Filecheck.io. This won't give you automated blocking but it
> will at least tell you if that file is known malicious or not.
> On Fri, Mar 9, 2018, 04:35 Shane Corridon via Snort-openappid <
> snort-openappid at lists.snort.org> wrote:
>> Hi All,
>> I am a 4th year I.T Management student in Cork Institute of Technology. I
>> am currently working on my Final year project. I am building an automated
>> open source software analyser and vulnerability detector. I wish to use
>> snort to analysis open source software that is downloaded from the web by
>> users. I am unsure how to use snort to analysis software downloads without
>> installing them on the machine.
>> The flow of my application is firstly a user downloads any free online
>> software, this will then be analysed using snort and lastly the download
>> will either be blocked or marked safe to use.
>> I need to use snort to examine the software source code and give a result
>> on whether or not the software is safe for the user to use.
>> Can you tell me:
>> 1. Is it possible to use snort to examine software downloads which
>> have not yet been installed on the machine?
>> 2. what file paths is snort monitoring for executable software
>> 3. how does snort know what to analysis. is it looking for the file
>> extension such as .exe?
>> 4. If the software downloads need to be installed before snort can
>> scan them, then can I use a script to move the downloads into the
>> appropriate paths so snort can analyse the download without it being
>> Any help is greatly appreciated!
>> Best Regards
>> Snort-openappid mailing list
>> Snort-openappid at lists.snort.org
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid