[Snort-openappid] 4th year student trying to use snort in their project
daniel92374 at gmail.com
Fri Mar 9 13:45:36 EST 2018
Snort is a very powerful tool but it runs on a rule list. you have to tell
Snort what to look for. It doesn't look for anomalies.
Your project sounds like you're trying to combine host level application
whitelisting with a SIEM like Security Onion.
On Fri, Mar 9, 2018, 07:37 Shane Corridon <shane.corridon at mycit.ie> wrote:
> Hi Daniel,
> I really appreciate your feedback. I am in a bit over my head with this
> and its too late to make any drastic changes to my project.
> I think you are right that I should create a script to upload the file to
> an online file checker and if it passes let the user install the content.
> But then after it is installed I could run snort across there network to
> verify nothing has changed after they have installed the software.
> Is there snort rules that would facilitate this? so a rule to scan a users
> pc/network before softwrae is installed and then rescan the network after
> the install has finished and display a result of weather there has been any
> changes or not?
> Thanks so much
> On 9 March 2018 at 12:02, Daniel T <daniel92374 at gmail.com> wrote:
>> I'm not sure you're going to find what you want with snort.
>> Snort is, at its core, a pattern matching software. Meaning you'd have to
>> have rules to look for specific strings inside of the network traffic.
>> This would become difficult if the traffic is going over HTTPS.
>> In answer to your questions:
>> 1. Yes, but it need to be monitored while the download is happening.
>> 2. To my knowledge snort only monitors network traffic. It does not look
>> at file paths. You would need a tool like Yara for that.
>> 3. Snort will look at all network traffic and apply actions to anything
>> that matches a rule in your rule list.
>> 4. Back to point 2. Snort monitors network traffic only (PCAP is the
>> exception to that. You can run snort against a PCAP).
>> You're probably better off looking into using Yara for scanning local
>> files, however this still runs on a rule list, meaning you'd need to know
>> what you want to look for first.
>> Your other option which might be easier is to write a script that takes a
>> hash of every file you download and uploads that hash to something like
>> Virustotal or Filecheck.io. This won't give you automated blocking but it
>> will at least tell you if that file is known malicious or not.
>> On Fri, Mar 9, 2018, 04:35 Shane Corridon via Snort-openappid <
>> snort-openappid at lists.snort.org> wrote:
>>> Hi All,
>>> I am a 4th year I.T Management student in Cork Institute of Technology.
>>> I am currently working on my Final year project. I am building an automated
>>> open source software analyser and vulnerability detector. I wish to use
>>> snort to analysis open source software that is downloaded from the web by
>>> users. I am unsure how to use snort to analysis software downloads without
>>> installing them on the machine.
>>> The flow of my application is firstly a user downloads any free online
>>> software, this will then be analysed using snort and lastly the download
>>> will either be blocked or marked safe to use.
>>> I need to use snort to examine the software source code and give a
>>> result on whether or not the software is safe for the user to use.
>>> Can you tell me:
>>> 1. Is it possible to use snort to examine software downloads which
>>> have not yet been installed on the machine?
>>> 2. what file paths is snort monitoring for executable software
>>> 3. how does snort know what to analysis. is it looking for the file
>>> extension such as .exe?
>>> 4. If the software downloads need to be installed before snort can
>>> scan them, then can I use a script to move the downloads into the
>>> appropriate paths so snort can analyse the download without it being
>>> Any help is greatly appreciated!
>>> Best Regards
>>> Snort-openappid mailing list
>>> Snort-openappid at lists.snort.org
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid