Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Host attribute table validation / usage

From: Enrico Papi <enrico.papi () cern ch>
Date: Sat, 29 Oct 2011 09:09:20 +0200
greetings,

we are creating host attribute tables, with our script, from Nmap scans 
for every snort instance we have.

The generated XMLs have the same structure described by the dtd included 
in the sources and covers almost all the attributes defined in the 
example at paragraph  2.7.2 of the Snort manual.

However we have omitted, in the final XML, these tags:

1) The whole 'attribute map' tag is omitted because we simply
specify 'Linux' or 'ssh' every time with the script

<ATTRIBUTE_MAP>
     <ENTRY>
         <ID>1</ID>
         <VALUE>Linux</VALUE>
     </ENTRY>
     <ENTRY>
         <ID>2</ID>
         <VALUE>ssh</VALUE>
     </ENTRY>
</ATTRIBUTE_MAP>

2)Every value in the services specification contains the tag confidence.
        <CONFIDENCE>100</CONFIDENCE>
We have omitted this.


3) We are not writing in the xml the vendor and the attribute tags.
for every host operating system,

<VENDOR>
     <ATTRIBUTE_VALUE>Red Hat</ATTRIBUTE_VALUE
     <CONFIDENCE>99</CONFIDENCE>
</VENDOR>
<VERSION>
     <ATTRIBUTE_VALUE>2.6</ATTRIBUTE_VALUE>
     <CONFIDENCE>98</CONFIDENCE>
</VERSION>



In the end when we try to validate with xmllint the schema of our xmls 
it fails for those differences i have written.

xmllint --valid --dtdvalid dtd_schema.dtd our_xml.xml

I would like to know from you if these field are needed and if so, what 
we should put in if we have no value and they are currently not used by 
the snort parser.

One more important question for us:

How can we know that Snort have loaded the host details specified in the 
xml attribute table files after we add the following line in snort.conf?

attribute_table filename our_xml.xml

I think this question has already been made in this list but it received 
no answer.

Thanks in advance,

Enrico.

------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: