Re: Understanding MetaData

[Rafael Leiva-Ochoa <spawn () rloteck net>]

I have openappid enabled....: )

On Monday, December 7, 2015, Joel Esler (jesler) <jesler () cisco com> wrote:

> If you don’t have a host attribute table, and no openappid, then Snort
> falls back to the old method of detection (port based)
>
>
> --
> *Joel Esler*
> Manager, Talos Group
>
>
>
>
> On Dec 6, 2015, at 1:57 PM, Rafael Leiva-Ochoa <spawn () rloteck net
> <javascript:_e(%7B%7D,'cvml','spawn () rloteck net');>> wrote:
>
> Thanks Paul for the explanation. I guess what confuses me the most is that
> when I read the documentation, it's stated that I needed a host attribute
> table in order for the meta-data service to work. Is that still the case?
> The reason I ask is because I see a lot of signatures that have meta-data
> service, but there is no host attribute table that is created by snort when
> I compiled it. I only see an example attribute table that can be used in
> order to make custom attribute tables.
>
>  I also don't understand how snort knows where the host attributes
> tables are if there's nothing in the configuration in the
> snort.conf that points to it.
>
> I want to create custom signatures that can use metadata service in order
> to better accurately identify applications not based on port, but based on
> their behavior characteristics as you explained, but it doesn't seem to be
> working when I use Medela service on custom signatures.
>
> On Sunday, December 6, 2015, paul meding <medingtac () gmail com
> <javascript:_e(%7B%7D,'cvml','medingtac () gmail com');>> wrote:
>
> > Not snort answer per se but metadata is to bring context to network
> > traffic.  Magic numbers can identify applications, filetypes, etc based
> > upon the offsets that are used in their implementations.  in this way if
> > someone renames for example a .zip file as a .abc to bypass filtering,
> > metadata creation will still identify it as a .zip file due to the raw
> > packets.  same way that if someone sends http traffic across a non http
> > port ...it is still identified as http just over non standard port.  Snort
> > can create and act off metadata as well as some other network free tools
> > like netminer and RSA's investigator that you c an download and further see
> > how metadata can make your analysis much more effective and make you a
> > faster analyst.
> >
> > meta can be used to identify filetypes, applications, geo, match domain
> > malware lists, protocols, flags, payload statistics, so many things it
> > would be impossible to list them all.  In snort it's used so even if
> > traffic isnt on the typical port used by ssh for example, its still
> > identified as such so it can't be fooled by our wonderful advanced
> > adversaries we are looking to thwart.
> >
> > Paul
> >
> >
> >
> > On Sun, Dec 6, 2015 at 11:53 AM, Rafael Leiva-Ochoa <spawn () rloteck net>
> > wrote:
> >
> > > Any takers...
> > >
> > >
> > > On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn () rloteck net>
> > > wrote:
> > >
> > > > Hi All,
> > > >
> > > >     I am trying to understand how "metadata: service http"  and other
> > > > service types work.
> > > >
> > > > I tried reading these documents:
> > > >
> > > > http://manual.snort.org/node323.html
> > > >
> > > > and
> > > >
> > > > http://manual.snort.org/node22.html#targetbased
> > > >
> > > > But, I am still a bit confused..: (
> > > >
> > > > As I read, the document, it stated the following: "The service Metadata
> > > > Key is only meaningful when a Host Attribute Table is provided".
> > > >
> > > > The confusing part is a lot of Talos signatures us "metadata:
> > > > service http", but there is no Host Attribute Tables created for that by
> > > > default when I installed snort. How are those signatures going to work
> > > > without it?
> > > >
> > > > On the snort.conf there is no setting to tell snort to load the
> > > > Attributes XML's. How is that done?
> > > >
> > > > I also tried creating a custom rule on the local.rules file to better
> > > > my understanding of "metadata service" using "ssh",  but it does not fire
> > > > when I use it. It only works when I remove the "service ssh".
> > > >
> > > > here is the rule:
> > > >
> > > > alert tcp $HOME_NET any -> $HOME_NET 22 ( \
> > > >
> > > >         msg:"SSH Brute Force Attempt"; \
> > > >
> > > >         flow:established,to_server; \
> > > >
> > > >         content:"SSH"; nocase; offset:0; depth:4; \
> > > >
> > > >         detection_filter:track by_src, count 3, seconds 60; \
> > > >
> > > >         sid:1000001; metadata:service ssh; rev:1;)
> > > > My understanding of metadata is that it is used to detect that someone
> > > > is using a service not based on the port, but based on what the protocol is
> > > > exhibiting. From example, if I ssh to a server using port 4598, which is
> > > > not a standard ssh port, the "metadata service ssh" will be able to see it
> > > > is ssh even though I had port 22 on the signature for the destination port.
> > > >
> > > > Any input and answers would be great.
> > > >
> > > > Thanks,
> > > >
> > > > Rafael
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Go from Idea to Many App Stores Faster with Intel(R) XDK
> > > Give your users amazing mobile app experiences with Intel(R) XDK.
> > > Use one codebase in this all-in-one HTML5 development environment.
> > > Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> > > OSs.
> > > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> <javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!