Snort mailing list archives

Re: host attribute file question

From: Steven Sturges <steve.sturges () sourcefire com>
Date: Tue, 24 Nov 2009 15:16:13 -0500

As a side note, you might try the profile 'all' in that
scenario.  It really comes down to how the servers handle
spaces/tabs and other things in the request.

-s

Jason Wallace wrote:

I sent this to the snort-users list, and was asked to send it the
devel list also. Any help would be appreciated.

Per the docs...

With Snort 2.8.1, for a given host entry, the stream and IP frag
information are both used. Of the service
attributes, only the IP protocol (tcp, udp, etc), port, and protocol
(http, ssh, etc) are used. The application
and version for a given service attribute, and any client attributes
are ignored. They will be used in a future
release.

Is the application and version still not used? I'd like to define the
application in the hopes that http_inspect it will choose the correct
profile for IIS and Apache. I can not do the following in
snort.conf...

preprocessor http_inspect_server: server 10.75.88.11 \
                                profile iis \
                                server_flow_depth 0 \
                                client_flow_depth 0 \
                                ports { 80 }

preprocessor http_inspect_server: server 10.75.88.11 \
                                profile apache \
                                server_flow_depth 0 \
                                client_flow_depth 0 \
                                ports { 8080 }

Since they have the same IP address only the last one in the config
file is used. I can tell this because detect_anomalous_servers will
still trigger an alert on the first one even though both are in the
config.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

host attribute file question Jason Wallace (Nov 24)
- <Possible follow-ups>
- host attribute file question Jason Wallace (Nov 24)
  - Re: host attribute file question Steven Sturges (Nov 24)
  - Re: host attribute file question Steven Sturges (Nov 24)