[Snort-openappid] 4th year student trying to use snort in their project

Shane Corridon shane.corridon at mycit.ie
Fri Mar 9 08:37:25 EST 2018


Hi Daniel,

I really appreciate your feedback. I am in a bit over my head with this and
its too late to make any drastic changes to my project.

I think you are right that I should create a script to upload the file to
an online file checker and if it passes let the user install the content.
But then after it is installed I could run snort across there network to
verify nothing has changed after they have installed the software.
Is there snort rules that would facilitate this? so a rule to scan a users
pc/network before softwrae is installed and then rescan the network after
the install has finished and display a result of weather there has been any
changes or not?

Thanks so much
Shane


On 9 March 2018 at 12:02, Daniel T <daniel92374 at gmail.com> wrote:

> Shane,
>
> I'm not sure you're going to find what you want with snort.
>
> Snort is, at its core, a pattern matching software. Meaning you'd have to
> have rules to look for specific strings inside of the network traffic.
>
> This would become difficult if the traffic is going over HTTPS.
>
> In answer to your questions:
>
> 1. Yes, but it need to be monitored while the download is happening.
>
> 2. To my knowledge snort only monitors network traffic. It does not look
> at file paths. You would need a tool like Yara for that.
>
> 3. Snort will look at all network traffic and apply actions to anything
> that matches a rule in your rule list.
>
> 4. Back to point 2. Snort monitors network traffic only (PCAP is the
> exception to that. You can run snort against a PCAP).
>
> You're probably better off looking into using Yara for scanning local
> files, however this still runs on a rule list, meaning you'd need to know
> what you want to look for first.
>
> Your other option which might be easier is to write a script that takes a
> hash of every file you download and uploads that hash to something like
> Virustotal or Filecheck.io. This won't give you automated blocking but it
> will at least tell you if that file is known malicious or not.
>
> On Fri, Mar 9, 2018, 04:35 Shane Corridon via Snort-openappid <
> snort-openappid at lists.snort.org> wrote:
>
>> Hi All,
>>
>>
>>
>> I am a 4th year I.T Management student in Cork Institute of Technology. I
>> am currently working on my Final year project. I am building an automated
>> open source software analyser and vulnerability detector. I wish to use
>> snort to analysis open source software that is downloaded from the web by
>> users. I am unsure how to use snort to analysis software downloads without
>> installing them on the machine.
>>
>>
>> The flow of my application is firstly a user downloads any free online
>> software, this will then be analysed using snort and lastly the download
>> will either be blocked or marked safe to use.
>>
>>
>>
>> I need to use snort to examine the software source code and give a result
>> on whether or not the software is safe for the user to use.
>>
>>
>>
>> Can you tell me:
>>
>>    1. Is it possible to use snort to examine software downloads which
>>    have not yet been installed on the machine?
>>    2. what file paths is snort monitoring for executable software
>>    applications
>>    3. how does snort know what to analysis. is it looking for the file
>>    extension such as .exe?
>>    4. If the software downloads need to be installed before snort can
>>    scan them, then can I use a script to move the downloads into the
>>    appropriate paths so snort can analyse the download without it being
>>    installed?
>>
>> Any help is greatly appreciated!
>>
>>
>>
>> Best Regards
>> Shane
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
> --
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180309/2c43099d/attachment-0001.html>


More information about the Snort-openappid mailing list