Snort is a very powerful tool but it runs on a rule list.  you have to tell Snort what to look for.  It doesn't look for anomalies. 

Your project sounds like you're trying to combine host level application whitelisting with a SIEM like Security Onion. 


On Fri, Mar 9, 2018, 07:37 Shane Corridon <> wrote:
Hi Daniel,

I really appreciate your feedback. I am in a bit over my head with this and its too late to make any drastic changes to my project.

I think you are right that I should create a script to upload the file to an online file checker and if it passes let the user install the content. But then after it is installed I could run snort across there network to verify nothing has changed after they have installed the software.
Is there snort rules that would facilitate this? so a rule to scan a users pc/network before softwrae is installed and then rescan the network after the install has finished and display a result of weather there has been any changes or not?

Thanks so much

On 9 March 2018 at 12:02, Daniel T <> wrote:

I'm not sure you're going to find what you want with snort. 

Snort is, at its core, a pattern matching software. Meaning you'd have to have rules to look for specific strings inside of the network traffic. 

This would become difficult if the traffic is going over HTTPS.

In answer to your questions:

1. Yes, but it need to be monitored while the download is happening. 

2. To my knowledge snort only monitors network traffic. It does not look at file paths. You would need a tool like Yara for that. 

3. Snort will look at all network traffic and apply actions to anything that matches a rule in your rule list. 

4. Back to point 2. Snort monitors network traffic only (PCAP is the exception to that. You can run snort against a PCAP). 

You're probably better off looking into using Yara for scanning local files, however this still runs on a rule list, meaning you'd need to know what you want to look for first. 

Your other option which might be easier is to write a script that takes a hash of every file you download and uploads that hash to something like Virustotal or This won't give you automated blocking but it will at least tell you if that file is known malicious or not. 

On Fri, Mar 9, 2018, 04:35 Shane Corridon via Snort-openappid <> wrote:

Hi All,


I am a 4th year I.T Management student in Cork Institute of Technology. I am currently working on my Final year project. I am building an automated open source software analyser and vulnerability detector. I wish to use snort to analysis open source software that is downloaded from the web by users. I am unsure how to use snort to analysis software downloads without installing them on the machine.

The flow of my application is firstly a user downloads any free online software, this will then be analysed using snort and lastly the download will either be blocked or marked safe to use.


I need to use snort to examine the software source code and give a result on whether or not the software is safe for the user to use.


Can you tell me:

  1. Is it possible to use snort to examine software downloads which have not yet been installed on the machine?
  2. what file paths is snort monitoring for executable software applications
  3. how does snort know what to analysis. is it looking for the file extension such as .exe?
  4. If the software downloads need to be installed before snort can scan them, then can I use a script to move the downloads into the appropriate paths so snort can analyse the download without it being installed?

Any help is greatly appreciated!


Best Regards

Snort-openappid mailing list

Please visit to stay current on all the latest Snort news!