snort | Snort Rules | Rule Engine library

I have a project which has a docker-compose file and a Dockerfile. The project is open here GitHub

I'm building a demo project with:

• Traefik
• Snort 3
• A NodeJS API dummy for testing

The issue is that in my Docker file I have a command like this to run on Snort

Hi everyone I have Grafana v 7.5.7 and I'm trying to extract some content from my data.

In this case, my goal is to take the message from snort alert. I created an event. original as my own variable to collect data from elastic search and now I can see my logs.

Details from Variables Settings

any regex wizards able to help?

I'm trying to get the regex to parse the Suricata fast log. So far I found a old post that kind of works here but would like to get all the data out of the log.

So far I can get the time, date, source ip, source port, destination ip and destination port but would like to also get the alert title, classification and priority.

Log file:

On using

nl /etc/snort/etc/snort.conf | grep output

i get the result,

Let's say I have these classes in JavaScript, and I'm trying to convert them to TypeScript:

I've read a few of the articles on Span (and ReadOnlySpan) and how they musn't be used in async methods.

There was a great Chanel 9 video by Jared Parsons where he showed the following example:

I am trying to separate the IP and Port on the last part of the line but there are other colons present in the line so I have to use regex to identify the IPv4 format, then isolate the matched pattern to IP: then replace the colon with a comma keeping the IP part of the pattern unchanged. I know I have to use capture groups, but it appears its not doing anything?

Input Data:

SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.202.50:60322 -> 192.168.22.252:445

1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) Which ip is the attacker?

2)Data on SYN packet [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.199.58:63000 -> 192.168.28.100:60000

1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) in which part of the snort architecture this alert came from?

3)SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 [Classification: Misc activity] [Priority: 3] {UDP} 192.168.199.58:59173 -> 192.168.22.201:407 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is victim?

4) snort: [1:3815:6] SMTP eXchange POP3 mail server overflow attempt [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.199.58:60327 -> 192.168.21.151:25 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is attacker?

I have done a ton of searchers but could not understand or find any details information about those signature. please help

• /usr/bin/ld: /usr/local/lib/libdnet: file not recognized: Is a directory collect2: error: ld returned 1 exit status make[6]: * [Makefile:486: libsf_sorules.la] Error 1 make[6]: Leaving directory '/usr/src/snort-2.9.15.1/src/dynamic-plugins/sf_engine/examples' make[5]: [Makefile:623: all-recursive] Error 1 make[5]: Leaving directory '/usr/src/snort-2.9.15.1/src/dynamic-plugins/sf_engine' make[4]: [Makefile:522: all] Error 2 make[4]: Leaving directory '/usr/src/snort-2.9.15.1/src/dynamic-plugins/sf_engine' make[3]: [Makefile:439: all-recursive] Error 1 make[3]: Leaving directory '/usr/src/snort-2.9.15.1/src/dynamic-plugins' make[2]: [Makefile:547: all-recursive] Error 1 make[2]: Leaving directory '/usr/src/snort-2.9.15.1/src' make[1]: * [Makefile:505: all-recursive] Error 1 make[1]: Leaving directory '/usr/src/snort-2.9.15.1' make: *** [Makefile:370: all] Error 2

  • Heading

  =======