Snort mailing list archives
Re: Use of Host Attribute table, Frag3, and Stream 5 question
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Thu, 29 Apr 2010 15:43:37 -0400
Exactly _____ From: Andy Berryman [mailto:aberryman () Cymtec com] Sent: Thursday, April 29, 2010 2:47 PM To: Crook, Parker; snort-users () lists sourceforge net Subject: RE: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question Gotcha. So it uses the host attribute table and configures the policies that way. Then if a machine is seen that isn't in the table, it uses the policy that's in the snort.conf file, if I'm understanding correctly. From: Crook, Parker [mailto:Parker_Crook () reyrey com] Sent: Thursday, April 29, 2010 1:43 PM To: Andy Berryman; snort-users () lists sourceforge net Subject: RE: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question Andy, The "policy first" portion of the frag3 engine tells snort the default frag3 reassembly behavior - to reassemble all undefined hosts according to "first" rules in this case (MacOS, and BSD follow this interpretation of the RFCs for fragmented packet reassembly). If hosts are defined in a host attribute table, then packets will be assembled according to their definition in that table. The way I run my frag3 (& stream5) default behavior, is to set the default policy to whatever systems make up the majority of my network, that way if I miss a host in the host attribute table, I have a higher percentage chance of correct packet and stream reassembly. IE, if 80% of my hosts are running Windows 2003+ servers, I would set : preprocessor frag3_engine: policy Windows detect anomalies timeout 180 & preprocessor stream5_engine: policy windows2003, use_static_footprint_sizes I hope that covers all that you asked about, Parker _____ From: Andy Berryman [mailto:aberryman () Cymtec com] Sent: Thursday, April 29, 2010 1:25 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question If I'm using a host attribute table that I generated with nmap and Hogger, but my snort.conf only has these two lines: preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies timeout 180 What will it do when it gets to a host in the attribute table that is a linux machine or a Cisco IOS? Will the attribute file basically only be good for the OS's that are the "first" category? Meaning that I'm really only using the attribute table to look at the hosts that are running Windows, MacOS, or HP-UX? I know I can specify more "policies" in the snort.conf but, I have to bind IP's to that policy. Which can be time consuming when machines are constantly being added and removed. Thanks, Andy Berryman _____ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. _____ _____ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. _____
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Use of Host Attribute table, Frag3, and Stream 5 question Andy Berryman (Apr 29)
- Re: Use of Host Attribute table, Frag3, and Stream 5 question Crook, Parker (Apr 29)
- Re: Use of Host Attribute table, Frag3, and Stream 5 question Andy Berryman (Apr 29)
- Re: Use of Host Attribute table, Frag3, and Stream 5 question Crook, Parker (Apr 29)
- Re: Use of Host Attribute table, Frag3, and Stream 5 question Andy Berryman (Apr 29)
- Re: Use of Host Attribute table, Frag3, and Stream 5 question Crook, Parker (Apr 29)