Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Tags
    3. ids
    Log in to post
    • All categories
    • E

      Snort Custom Rule not alerting on traffic

      IDS/IPS
      • snort ids • • erasedhammer
      4
      0
      Votes
      4
      Posts
      42
      Views

      bmeeksB

      @erasedhammer said in Snort Custom Rule not alerting on traffic:

      So filtering on dsize greater than zero with a Syn flag should match any TCP Syn packet with something in the TCP payload.

      But I believe your "content:" string is going to be checked and found not present, thus no alert.

      The way I understand the content keyword is that it will expect to find that particular string in the packet payload, and if the entire string is not present in the payload then it will not alert.

      Your rule is looking for the string "TCP SYN Packet Containing Data Payload Detected", but that exact string is not present in your rule. Instead, your test is loading the payload with the string "datadatadatadatadata".

    • B

      Grafana GeoIP dashboard

      pfSense Packages
      • telegraf grafana ids • • badincite
      1
      0
      Votes
      1
      Posts
      357
      Views

      No one has replied

    • R

      IDS/IPS With VLANS, VPN, TLS & Network Setup

      IDS/IPS
      • vpn vlans suricata sg-2100 ids • • rennit
      1
      0
      Votes
      1
      Posts
      449
      Views

      No one has replied

    • T

      Suricata Alerts - ET INFO Observed DNS Query to .biz TLD

      IDS/IPS
      • suricata ids ips alerts • • thawee
      9
      1
      Votes
      9
      Posts
      9253
      Views

      T

      @bmeeks

      Kk Sounds good,

      Thanks my friend will check it out, and I will ask my isp about that because I am seeing a whole range of ips in the same scope as my public wan ip as well as ips that look to be going to different ip addresses not related to me at all and are on the same subnet as my public wan.

      Thanks again.

    • S

      Snort not detecting my interface (snort -W) on Windows 10

      IDS/IPS
      • windows 10 snort ids • • shinigami99
      2
      1
      Votes
      2
      Posts
      704
      Views

      bmeeksB

      This forum is for users of Snort on pfSense only. There is no support for Windows versions of Snort available here.

    • B

      Suricata Fast.log, but in JSON?

      Off-Topic & Non-Support Discussion
      • suricata ids • • BurningJenkinsContainer
      4
      0
      Votes
      4
      Posts
      2267
      Views

      B

      Found an answer, took me long enough given it was right in front of me the whole time...

      On Line 60 in the YAML, you can disable Stats - that probably cuts down 80% of the garbage data in EVE.

      You can further disable logging (in EVE) under metadata for DNS, TLS, TCP, HTTP, etc. -- YMMV, but I feel keeping that stuff is fine since you can filter it out using something like Kibana or Splunk readily.

    • H

      Is cloning pfSense a good idea?

      Installation and Upgrades
      • cloning ids • • hannes.hutmacher
      3
      0
      Votes
      3
      Posts
      344
      Views

      R

      @hannes-hutmacher I think will be better if you save your config to xml file and then make fresh install including xml import option.
      Please see https://docs.netgate.com/pfsense/en/latest/backup/index.html