Re: Snort 3.0 is not detecting shell code attacks

[Dorian ROSSE via Snort-users <snort-users () lists snort org>]

Maybe community rules doesn’t enough against It attacks ?

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

________________________________
De : Snort-users <snort-users-bounces () lists snort org> de la part de João Pedro via Snort-users <snort-users () 
lists snort org>
Envoyé : Monday, June 17, 2019 12:51:01 PM
À : snort-users () lists snort org; Russ Combs (rucombs)
Objet : Re: [Snort-users] Snort 3.0 is not detecting shell code attacks


Is also possible to check my config files and .pcap file in: https://we.tl/t-CL0SotgzlU

Às 11:30 de 17/06/19, João Pedro via Snort-users escreveu:

I send those files enclosed in this email. It's possible to check now my problem easily.

I run this command every time I want to test Snort:

  *   snort -r myfile.pcapng -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules -A 
alert_json > alerts.json

I'm expecting the rule "1394" and "648" to be triggered, but is not working... In .pcap file is possible to see buffer 
overflow attacks tested by me (e.g. check the filter "tcp.dstport==50096 or tcp.dstport==50098").

What is the problem?

Às 02:26 de 17/06/19, Russ Combs (rucombs) escreveu:

Please send pcap, rules, config so we can help you out.

On 6/16/19, 7:39 PM, "Snort-users on behalf of João Pedro via Snort-users"
<snort-users-bounces () lists snort org on behalf of
snort-users () lists snort org><mailto:snort-users-bounces@lists.snort.orgonbehalfofsnort-users () lists snort org> 
wrote:



I'm testing snort 3.0 with Community rules.
Besides triggering alerts from port scans, it is not detecting Buffer
Overflow attacks (.i.e. made with Metasploit).
Is there a problem with the current rules in Snort 3.0? Should I
activate/config something else?

Ps: I'm testing Snort from .pcap files

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette