Snort mailing list archives
Re: Understanding MetaData
From: Rafael Leiva-Ochoa <spawn () rloteck net>
Date: Sun, 6 Dec 2015 09:53:31 -0800
Any takers... On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn () rloteck net> wrote:
Hi All, I am trying to understand how "metadata: service http" and other service types work. I tried reading these documents: http://manual.snort.org/node323.html and http://manual.snort.org/node22.html#targetbased But, I am still a bit confused..: ( As I read, the document, it stated the following: "The service Metadata Key is only meaningful when a Host Attribute Table is provided". The confusing part is a lot of Talos signatures us "metadata: service http", but there is no Host Attribute Tables created for that by default when I installed snort. How are those signatures going to work without it? On the snort.conf there is no setting to tell snort to load the Attributes XML's. How is that done? I also tried creating a custom rule on the local.rules file to better my understanding of "metadata service" using "ssh", but it does not fire when I use it. It only works when I remove the "service ssh". here is the rule: alert tcp $HOME_NET any -> $HOME_NET 22 ( \ msg:"SSH Brute Force Attempt"; \ flow:established,to_server; \ content:"SSH"; nocase; offset:0; depth:4; \ detection_filter:track by_src, count 3, seconds 60; \ sid:1000001; metadata:service ssh; rev:1;) My understanding of metadata is that it is used to detect that someone is using a service not based on the port, but based on what the protocol is exhibiting. From example, if I ssh to a server using port 4598, which is not a standard ssh port, the "metadata service ssh" will be able to see it is ssh even though I had port 22 on the signature for the destination port. Any input and answers would be great. Thanks, Rafael
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding MetaData Rafael Leiva-Ochoa (Dec 04)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)
- Re: Understanding MetaData paul meding (Dec 06)
- Re: Understanding MetaData Joel Esler (jesler) (Dec 06)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)
- Re: Understanding MetaData Al Lewis (allewi) (Dec 06)
- Re: Understanding MetaData Joel Esler (jesler) (Dec 07)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 07)
- Re: Understanding MetaData paul meding (Dec 06)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)