Snort mailing list archives
Re: Snort Host Attribute table
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Thu, 25 Mar 2010 13:05:57 -0400
Sorry Wally, I'll do my best to fill in with what I know. 1) Basically by virtue of tuning frag3 and stream5 so that Snort is now assembling traffic in the same way that the host is, Snort is able to leverage this in the other preprocessors; I don't believe there is a direct result on the tuning of other preprocessors such as those you have listed below. As far as it affecting the ports option of other preprocessors, I don't believe it does; however keep in mind that, for example, you would not need to set the ports in http_inspect, due to the host attributes being matched up with the "metadata:service ____" tag in pertinent rules. 2) This is what I have in mind for my environments. Scan as much as I can, and set the default policy to whatever is the majority of my systems, that way if something new is added or I missed something, I have a high likelihood that its traffic is reassembled the same way in Snort. 3) I still think it is a good practice to define your variables And I see that Joel has responded before I hit send, so I will just hit send and we'll see where this dialogue goes... -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Thursday, March 25, 2010 12:30 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Host Attribute table Any input on the questions below would be appreciated. Thx, Wally On Wed, Mar 24, 2010 at 2:11 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
Since we are on the topic I also have a couple of questions about the host attribute table. 1) I know that it plays into frag3, stream5, http_inspect, and rules. But does it also have an affect on?: ftp_telnet ftp_telnet_protocol smtp ssh dcerpc2 dcerpc2_server dns ssl I assume it would at least affect the "ports" option of these. 2) I suspect, now that we have hogger to help out, more people will be migrating to using the host attribute table. Right now I have a pretty complicated snort.conf to do what the host attribute table would do. For those migrating, does it make sense to simplify our detailed preprocessor setups to just match the most common hosts and let the the table handle the rest? 3) Kind of the same question as #2 but in relation to "var"'s. Since the table would have the IP and ports for these servers/services, does the host attribute table make the following pointless to define? var DNS_SERVERS var SMTP_SERVERS var HTTP_SERVERS var SQL_SERVERS var TELNET_SERVERS var FTP_SERVERS var SNMP_SERVERS portvar HTTP_PORTS portvar ORACLE_PORTS portvar FTP_PORTS I know without the host attribute table it is a good idea to specifically define the "*_SERVERS" vars to cut down on what is inspected, but with a host attribute table could you just set those to $HOME_NET and be done with them? Thx, Wally On Wed, Mar 24, 2010 at 11:41 AM, Alex Tatistcheff <alex.tatistcheff () gmail com> wrote:Well, one way is you could attend the Snort 360 class offered by Sourcefire! Ok, as one of the instructors I might be a bit biased.... ;-) Seriously though, what we do in class is load the attribute table then demonstrate with some sample Snort rules using the metadata keyword how Snort now alerts for HTTP based rules on hosts which are identified in the XML file as serving HTTP on a given port even though the rule does not include that port. For example, you have a snort rule with the destination port of 80 and "metadata: service http;" Now, if you have a host which is running - say webmin offering HTTP on port 10000. You identify that in the attribute table file. The snort rule will now be evaluated for the traffic destined for port 10000 on that host. Yet it will not be processed for other hosts which are not identified in the XML file as listening for HTTP on port 10000. You can write some quick sample rules to evaluate the behavior of your Snort installation to ensure it's working as advertised. Alex Tatistcheff alext () pobox com The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan On Tue, Mar 23, 2010 at 10:25 AM, Andy Berryman <aberryman () cymtec com> wrote:I understand that it's loading the table. I was just asking if there is a way to check AFTER it was loaded, to see if it was working. I guess no news (errors) is good news? I was also wondering what the lines meant directly below it? Do they pertain to the XML files being loaded? I've never seen them until I added the attribute table to the snort.conf Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=24 as service=x11 Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=12 as service=netbios-ns Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=28 as service=ldap Thanks, Andy From: jcummings () sourcefire com [mailto:jcummings () sourcefire com] On Behalf Of JJ Cummings Sent: Tuesday, March 23, 2010 11:00 AM To: Andy Berryman Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Host Attribute table One of the following outputs (depending on HUP, Init.. etc).. this was taken from the email chain about this yesterday. JJC 1: Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts 2: Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Starting... Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Started, thread 3059501968 (21699) 3: Mar 22 16:27:01 SNORT2 snort[19778]: =============================================================================== Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats: Mar 22 16:27:01 SNORT2 snort[19778]: Number Entries: 113 Mar 22 16:27:01 SNORT2 snort[19778]: Table Reloaded: 0 Mar 22 16:27:01 SNORT2 snort[19778]: =============================================================================== On Tue, Mar 23, 2010 at 9:56 AM, Andy Berryman <aberryman () cymtec com> wrote: I have an attribute table that was created with the help of Hooger. <--great program btw My question is, now that snort's loading the file. How do I know it's working? I see it loading it in my syslog, but not sure if there is anything I can check to make sure it's doing what it's supposed to be doing. Also, what does the below output tell me "fpBuildServicePortGroups" Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread Starting... Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread Started, thread 3067956416 (4648) Mar 23 15:42:26 (none) snort[4648]: Checking PID path... Mar 23 15:42:26 (none) snort[4648]: PID path stat checked out ok, PID path set to /var/run/ Mar 23 15:42:26 (none) snort[4648]: Writing PID "4648" to file "/var/run//snort_eth1.pid" Mar 23 15:42:26 (none) snort[4648]: Decoding Ethernet on interface eth1 Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=24 as service=x11 Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=12 as service=netbios-ns Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=28 as service=ldap Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=74 as service=ident Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=91 as service=rtsp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=13 as service=netbios-ssn Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=90 as service=ssl Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=86 as service=sunrpc Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=10 as service=dcerpc Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=17 as service=finger Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=6 as service=ftp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=57 as service=font-service Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=95 as service=ldp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=8 as service=smtp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=21 as service=pop3 Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=14 as service=nntp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=92 as service=kerberos Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=22 as service=snmp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=18 as service=imap Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=52 as service=mysql Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=52 as service=mysql Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=10 as service=dcerpc Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=13 as service=netbios-ssn Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=91 as service=rtsp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=18 as service=imap Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=8 as service=smtp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=12 as service=netbios-ns Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=6 as service=ftp Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=24 as service=x11 Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=28 as service=ldap Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=22 as service=snmp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=74 as service=ident Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=86 as service=sunrpc Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=94 as service=ircd Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=90 as service=ssl Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=21 as service=pop3 Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=14 as service=nntp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=10 as service=dcerpc Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=23 as service=tftp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=12 as service=netbios-ns Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=92 as service=kerberos Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=22 as service=snmp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=13 as service=netbios-ssn Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=96 as service=radius Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=86 as service=sunrpc Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=93 as service=ntp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=10 as service=dcerpc Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=91 as service=rtsp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=93 as service=ntp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=12 as service=netbios-ns Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=13 as service=netbios-ssn Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=22 as service=snmp Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=96 as service=radius Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding protocol-ordinal=86 as service=sunrpc Thanks, Andy Berryman ________________________________ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- ________________________________ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tap and Hub, (continued)
- Tap and Hub akos . daniel (Mar 24)
- Re: Tap and Hub Crook, Parker (Mar 24)
- Re: Tap and Hub Richard Bejtlich (Mar 26)
- Re: Tap and Hub Eoin Miller (Mar 24)
- Re: Tap and Hub Lee Clemens (Mar 24)
- Re: Tap and Hub Eoin Miller (Mar 24)
- Message not available
- Tap and Hub D. Hofstee (Mar 24)
- Re: Tap and Hub Nick Moore (Mar 24)
- Re: Snort Host Attribute table Jason Wallace (Mar 24)
- Re: Snort Host Attribute table Jason Wallace (Mar 25)
- Re: Snort Host Attribute table Crook, Parker (Mar 25)
- Re: Snort Host Attribute table Jason Wallace (Mar 25)
- Re: Snort Host Attribute table Matt Olney (Mar 25)
- Re: Snort Host Attribute table Jason Wallace (Mar 25)
- Re: Snort Host Attribute table Joel Esler (Mar 25)
- Re: Snort Host Attribute table Joel Esler (Mar 25)