[Snort-users] Snort 3.0 is not detecting shell code attacks

João Pedro oladj at live.com.pt
Mon Jun 17 06:30:24 EDT 2019

I send those files enclosed in this email. It's possible to check now my problem easily.

I run this command every time I want to test Snort:

  *   snort -r myfile.pcapng -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules -A alert_json > alerts.json

I'm expecting the rule "1394" and "648" to be triggered, but is not working... In .pcap file is possible to see buffer overflow attacks tested by me (e.g. check the filter "tcp.dstport==50096 or tcp.dstport==50098").

What is the problem?

Às 02:26 de 17/06/19, Russ Combs (rucombs) escreveu:

Please send pcap, rules, config so we can help you out.

On 6/16/19, 7:39 PM, "Snort-users on behalf of João Pedro via Snort-users"
<snort-users-bounces at lists.snort.org on behalf of
snort-users at lists.snort.org><mailto:snort-users-bounces at lists.snort.orgonbehalfofsnort-users@lists.snort.org> wrote:

I'm testing snort 3.0 with Community rules.
Besides triggering alerts from port scans, it is not detecting Buffer
Overflow attacks (.i.e. made with Metasploit).
Is there a problem with the current rules in Snort 3.0? Should I
activate/config something else?

Ps: I'm testing Snort from .pcap files

Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:

        To unsubscribe, send an email to:
        snort-users-leave at lists.snort.org<mailto:snort-users-leave at lists.snort.org>

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190617/2800b675/attachment.html>

More information about the Snort-users mailing list