[Snort-openappid] 4th year student trying to use snort in their project

Daniel T daniel92374 at gmail.com
Fri Mar 9 13:45:36 EST 2018


Shane,

Snort is a very powerful tool but it runs on a rule list.  you have to tell
Snort what to look for.  It doesn't look for anomalies.

Your project sounds like you're trying to combine host level application
whitelisting with a SIEM like Security Onion.

-Daniel

On Fri, Mar 9, 2018, 07:37 Shane Corridon <shane.corridon at mycit.ie> wrote:

> Hi Daniel,
>
> I really appreciate your feedback. I am in a bit over my head with this
> and its too late to make any drastic changes to my project.
>
> I think you are right that I should create a script to upload the file to
> an online file checker and if it passes let the user install the content.
> But then after it is installed I could run snort across there network to
> verify nothing has changed after they have installed the software.
> Is there snort rules that would facilitate this? so a rule to scan a users
> pc/network before softwrae is installed and then rescan the network after
> the install has finished and display a result of weather there has been any
> changes or not?
>
> Thanks so much
> Shane
>
>
> On 9 March 2018 at 12:02, Daniel T <daniel92374 at gmail.com> wrote:
>
>> Shane,
>>
>> I'm not sure you're going to find what you want with snort.
>>
>> Snort is, at its core, a pattern matching software. Meaning you'd have to
>> have rules to look for specific strings inside of the network traffic.
>>
>> This would become difficult if the traffic is going over HTTPS.
>>
>> In answer to your questions:
>>
>> 1. Yes, but it need to be monitored while the download is happening.
>>
>> 2. To my knowledge snort only monitors network traffic. It does not look
>> at file paths. You would need a tool like Yara for that.
>>
>> 3. Snort will look at all network traffic and apply actions to anything
>> that matches a rule in your rule list.
>>
>> 4. Back to point 2. Snort monitors network traffic only (PCAP is the
>> exception to that. You can run snort against a PCAP).
>>
>> You're probably better off looking into using Yara for scanning local
>> files, however this still runs on a rule list, meaning you'd need to know
>> what you want to look for first.
>>
>> Your other option which might be easier is to write a script that takes a
>> hash of every file you download and uploads that hash to something like
>> Virustotal or Filecheck.io. This won't give you automated blocking but it
>> will at least tell you if that file is known malicious or not.
>>
>> On Fri, Mar 9, 2018, 04:35 Shane Corridon via Snort-openappid <
>> snort-openappid at lists.snort.org> wrote:
>>
>>> Hi All,
>>>
>>>
>>>
>>> I am a 4th year I.T Management student in Cork Institute of Technology.
>>> I am currently working on my Final year project. I am building an automated
>>> open source software analyser and vulnerability detector. I wish to use
>>> snort to analysis open source software that is downloaded from the web by
>>> users. I am unsure how to use snort to analysis software downloads without
>>> installing them on the machine.
>>>
>>>
>>> The flow of my application is firstly a user downloads any free online
>>> software, this will then be analysed using snort and lastly the download
>>> will either be blocked or marked safe to use.
>>>
>>>
>>>
>>> I need to use snort to examine the software source code and give a
>>> result on whether or not the software is safe for the user to use.
>>>
>>>
>>>
>>> Can you tell me:
>>>
>>>    1. Is it possible to use snort to examine software downloads which
>>>    have not yet been installed on the machine?
>>>    2. what file paths is snort monitoring for executable software
>>>    applications
>>>    3. how does snort know what to analysis. is it looking for the file
>>>    extension such as .exe?
>>>    4. If the software downloads need to be installed before snort can
>>>    scan them, then can I use a script to move the downloads into the
>>>    appropriate paths so snort can analyse the download without it being
>>>    installed?
>>>
>>> Any help is greatly appreciated!
>>>
>>>
>>>
>>> Best Regards
>>> Shane
>>> _______________________________________________
>>> Snort-openappid mailing list
>>> Snort-openappid at lists.snort.org
>>> https://lists.snort.org/mailman/listinfo/snort-openappid
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>> --
>>
>>
>>
> --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180309/fff76701/attachment.html>


More information about the Snort-openappid mailing list