Creating SNORT Rules
Рет қаралды 130,440
Күн бұрын
@vonniehudson 9 жыл бұрын
You are an excellent teacher. Very careful, not condescending and you talk at a nice pace. Thank you very much!
@richardbennett4365 Жыл бұрын
Who would be condescending? I hear a lot of students claiming, proclaiming, or even accusing inaccurately or erroneously a professor or instructor as condescending. Call it what you want, but the teacher teaches while the student learns, so there's always and necessarily a level difference. A teacher needs to be expert in order to teach the novice who is not expert, but is hoping and studying to be expert. If good enough, the student can then surpass the teacher and then be "condescending" toward teacher in what new subject about which the student has become expert.
@jibberjabber6919 4 жыл бұрын
Hey, your videos are really good and helpful. Please come back and create some more.
@ptianu 9 жыл бұрын
This is a great tutorial. This is exactly what I was looking for.
@FalahAwad-pr9ez Жыл бұрын
Thanks a lot for this explain, you are an excellent teacher
@kushagravarma8 Жыл бұрын
Hi ! Thanks for the tutorial , I have been trying to listen on the port 1883 . but nothing seems to work , could you please help I want to detect mqtt protocol via snort
@estoperopy 9 жыл бұрын
This video makes more understandable "SNORT BASICS", which is what i need! thanks for posting it!! is it possible to show us all how to write rules for Brute Force attacks to the HTTP ports with different tools like Hydra or Medusa?... thanks a lot!
@serdarerkan8126 9 жыл бұрын
Thank you for your clear explanation of rule basics.
@HSN.LTD0824 2 жыл бұрын
How can I create a rule to detect and drop DOS/DDOS packets?
@JeanDoeShow 9 жыл бұрын
Thanks a lot, your video made the subject a whole lot more understandable!
@takanomi1 8 жыл бұрын
Thanks Dr. Craiger you rock!
@christreedee 4 жыл бұрын
sorry it is so late, love to run this in a VM or something that will watchdog and probes, shoudl i maybe put it on a separate box?
@lexiaontube 8 жыл бұрын
How did it catched the google search ...it's over https long ago , isn't it ??
@coffeedude 2 жыл бұрын
i don't get that either
@allanng78 6 жыл бұрын
Hi, Thank for the video. It has given some of the information I need to write my own rules. I wish to know if I want to get alert for download. How do I write the rule in snort to detect that. Hope to hear from you. Thank.
@nikeshkakshapati6633 6 жыл бұрын
can we block ip using snort ? can you do it some rules in drop actions ?
@kevingeil3457 9 жыл бұрын
VERY nice video. Thank you. Can you share the presentation software you used to create this? Thanks again!
@PedroMatosMAC 4 жыл бұрын
Very very good tutorial, excellent indeed! Thanks a lot!
@antariencaysencays1285 8 жыл бұрын
how to create the alert file? i can't seem to understand that part
@travellingguitarsinger 8 жыл бұрын
Hi Phillip, Awesome presentation. I am not able to get an alert generated on below rules, did exactly what you demonstrated. alert tcp 10.113.57.118 any -> any 80 (msg:"Terror search"; content:"terrorism"; nocase; sid:10001;) I am able to get alerts on other kinds of basic rules like ping, etc. Please let me know what may be wrong. Or is it something needs to be updated in conf file.
@ElRammo 8 жыл бұрын
+Amit Nag I have this same issue - did you find a solution?
@travellingguitarsinger 8 жыл бұрын
+El Rammo , Try this -d option and your ethernet device ID, it worked for me after this. snort -d -i eth1 -c /home/demo/snort_confs/snort.conf -l /tmp/ -k none
@ElRammo 8 жыл бұрын
Thanks I'll give it a go.
@akramjaiem4767 4 жыл бұрын
me too i have a problem with that specific rule.. did u make it work?
@abdulrahmanabdulnasir9345 10 жыл бұрын
Thank you. I really enjoyed it.
@benjamincastricone6677 8 жыл бұрын
Well explained! Thank you sir!
@Vinay_Gurram 8 жыл бұрын
Hello I am newbie , Facing this error: ERROR: /etc/snort//etc/snort/rules/myrules.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/myrules.rules": No such file or directory. -Thanks advance.
@serhiikorolik 7 жыл бұрын
it seems, that you wrote in your snort.conf file wrong include.. check that is have to be exactly: "include /etc/snort/rules/myrules.rules" or "include $RULE_PATH/myrules.rules" and var RULE_PATH /etc/snort/rules
@GlicerioCatolico 9 жыл бұрын
What a great tutorial sir!!! But how to configure snort to avoid false alerts in windows? because i enabled those rules that are with # in the beginning thinking it would make detection more efficient. im not familiar with tuning up snort all i know is that it detects intrusion but when i tried dictionary attack it gives false alert. i created a webpage using apache with log in form. so i will try to brute force log in using dictionary attack. but before i start i tried logging in to that webpage and it was a regular login which is not actually harmful but it gives an alert saying potentially bad traffic. i am creating a GUI programmed to capture intrusion using snort with mobile alert and prevent it by throwing the alert to windows firewall since im using windows. but i find it unreliable to prevent a regular login and treat it as intrusion.. i need to tune up snort.. hope you can teach me.. this is for my project study which is almost done but i need snort to really capture a threat.. thank you in advance sir.
@estoperopy 9 жыл бұрын
+Glicerio Catolico Hola Glicerio, me imagino que hablas español, también estoy en un proyecto que tiene que ver con la implementación de Snort, mi problema es que yo ya he hecho ataques de fuerza bruta con diccionarios a una página web básica en mi localhost, pero el snort no me las detecta,..quizás podriamos intercambiar experiencias, gracias y un saludo!
@GlicerioCatolico 9 жыл бұрын
+Victor Amarilla sory sir i dont speak spanish im Filipino.
@estoperopy 9 жыл бұрын
+Glicerio Catolico Hi Glicerio, thanks for your soon response.I've said before that i'm also involved in a project that includes Snort /IDS-IPS. I have already tested a brute force attack, based on diccionaries for user and password, to a very basic php login homepage, before that i've written the rule but somehow snort do not detects this attack. Maybe we can exchange experiencies about this matter, if i can help you, just let me know it. have a nice time!
@GlicerioCatolico 9 жыл бұрын
+Victor Amarilla sir it can detect it base on my experience. The only thng is that it also detects a normal login. So its a priority 2 alert with false positive. I interpret it as an alert when same source nd dest ip occur repeatdly. So in my program u wil have to manually prevent it bcoz prevntng all priority 2 alerts wil be prone to false prevention. I only set priority 1 as default autoblock
@GlicerioCatolico 9 жыл бұрын
+Victor Amarilla and sir by the way im using the windows version of snort whch has no inline or ips. I create a program that gives windows snort a gui with mobile alert and firewall prevention. U might be using unix version whch i really havnt touch yet
@jermainesmalls6020 8 жыл бұрын
How do you save the rule you have written? Is it Ctrl+S
@kaiorafael429 8 жыл бұрын
in VIM/VI you should type ESC , then ":wq" (without "")
@qsyt731 9 жыл бұрын
thanks, helped a lot for my implementation
@RevanSK 9 жыл бұрын
brilliant video. Thank you
@yangdu1839 8 жыл бұрын
I can receive alert, but why my alert file is binary code
@richardbennett4365 Жыл бұрын
Why is the narrator saying "variable" when he's talking about the directory named /var?
@MrBrewww 7 жыл бұрын
i dont have the alert file too., could some one help me with this ???
@peternoschese9637 4 жыл бұрын
Super helpful Thanks!
@tarundixit580 7 жыл бұрын
how do block youtube.com using snort without blocking google drive for selected users/group
@kamikaze6363 9 жыл бұрын
Very helpful. Thanks.
@dreamyrhodes 9 жыл бұрын
No one ever explains what "HOME_NET" means. Yes it's the "network we want to protect" but what exactly does that mean? Are $HOME_NET sources treated differently? Are packets trusted from there? How exactly are they trusted?
@walidelgadal1146 8 жыл бұрын
Thank you!
@user-hn1dd1nj9e 8 жыл бұрын
Thank you! you so handsume guy! I like you!
@gustavocinak7656 9 жыл бұрын
ddos configuration please
@DouglasMugnosit 9 жыл бұрын
Gustavo Cinak, you can find that rule in : /etc/snort/rules/ddos.rules.
@miteshpurohit1691 7 жыл бұрын
how to perform buffer overflow attack in cmd using snort.????
@Chillius 9 жыл бұрын
magic snort snort
@jorge-tutor 8 жыл бұрын
Thank you!