Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 4th year student trying to use snort in their project

From: wkitty42 () windstream net
Date: Fri, 9 Mar 2018 11:25:26 -0500
On 03/09/2018 05:08 AM, Shane Corridon via Snort-sigs wrote:

Hi All,
I am a 4th year I.T Management student in Cork Institute of Technology. I am currently working on my Final year project. I am building an automated open source software analyser and vulnerability detector. I wish to use snort to analysis open source software that is downloaded from the web by users. I am unsure how to use snort to analysis software downloads without installing them on the machine.
snort is a packet-level network traffic sniffer... it sniffs the traffic on your network (eg: perimeter firewall WAN<->LAN pipe) and analyses it for matches to the rules you have selected for use...
there are other similar tools which will extract a file it is being downloaded... they extract the file right out of the data stream and save it for later analysis... the destination device/operator won't even know about the extraction because it is just a copy of the data making up the file...
additionally, there are tools which will save the raw network traffic stream for close inspection at a later time if needed (eg: tcpdump, wireshark, etc)... some of these tools can be used for analysis of pcap files... some of the extractors can also perform the extraction of a file from a pcap file...
so, in your case, you would be sniffing the file *while it is in-transit* to the user's device from the source server on the WAN... a malware detector (virus, trojan, etc) should still be used on individual devices to protect against something that might make it through as well as from lateral movement attempts from other devices on the local network... 


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: