Stateful detection in Snort

From whatever I have read of Snort, it can analyse a single packet at a time and raise an alert based on its rules.

What if I wish to have a rule based on multiple packets such as analysis of a protocol situation that can maintain its states, e.g. TCP or TLS?

Stateful detection in Snort

From whatever I have read of Snort, it can analyse a single packet at a time and raise an alert based on its rules.

What if I wish to have a rule based on multiple packets such as analysis of a protocol situation that can maintain its states, e.g. TCP or TLS?

Ubuntu 18.04 snort protection

Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc.

I have 4 questions :

  1. How can i block specific ip address , in Snort Detection rules ? (for example in dos detection rules)

  2. Does Snort store any data about detection like IPs, contents etc. in some database ? with apt-get install snort , mysql has been installed to .

  3. Is it possible to run a script on alert ?

  4. When i used reject action and start snort in console mode , I got

connection refused

error on ssh , and cant login to ssh anymore until restart the server . The rule is :

reject tcp any any -> $ HOME_NET any (msg:"simple dos attack"; threshold:type both, count 50 , seconds 5 , track by_dst ; sid:1000001 )

Ubuntu 18.04 snort protection

Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc.

I have 4 questions :

  1. How can i block specific ip address , in Snort Detection rules ? (for example in dos detection rules)

  2. Does Snort store any data about detection like IPs, contents etc. in some database ? with apt-get install snort , mysql has been installed to .

  3. Is it possible to run a script on alert ?

  4. When i used reject action and start snort in console mode , I got

connection refused

error on ssh , and cant login to ssh anymore until restart the server . The rule is :

reject tcp any any -> $ HOME_NET any (msg:"simple dos attack"; threshold:type both, count 50 , seconds 5 , track by_dst ; sid:1000001 )

Snort Rule to check for TCP options

Lets say malformed packets are sent by attacker with improper TCP options length i.e, 50bytes,222bytes etc.

Is there any way to monitor these packets having invalid tcp options set using Snort or Suricata ?

Do we have any tag that can look in tcp header (check for particular offset etc)?

Snort “(spp_ssh) Challenge-Response Overflow exploit” Vulnerabilities

What does “Response Overflow exploit” mean ?

Is it SSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges?

snort[80325]: [128:1:1] (spp_ssh) Challenge-Response Overflow exploit [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 

Snort logs in csv

I’m trying to get the output of snort log file in csv format. For this in snort.conf, I added output alert_csv: alert.csv default but there is no alert.csv file created. How do I access this file?