Snort mailing list archives

Re: host attribute table - feature request

From: Joel Esler <joel.esler () me com>
Date: Mon, 22 Mar 2010 17:14:15 -0400

Glad that got clarified.  I don't have a system to check right now (rebuilding).  Thanks.

J

On Mar 22, 2010, at 4:52 PM, Crook, Parker wrote:

Yeah...
I was grepping with the wrong info, it's there in 2.8.5.3, depending on whether Snort is started, reloaded, or 
restarted, in one of the following formats:

1:
Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts

2:
Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Starting...
Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Started, thread 3059501968 (21699)

3:
Mar 22 16:27:01 SNORT2 snort[19778]: ===============================================================================
Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats:
Mar 22 16:27:01 SNORT2 snort[19778]:     Number Entries: 113
Mar 22 16:27:01 SNORT2 snort[19778]:     Table Reloaded: 0
Mar 22 16:27:01 SNORT2 snort[19778]: ===============================================================================

Sorry for causing trouble,
Parker

-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com]
Sent: Monday, March 22, 2010 4:45 PM
To: Crook, Parker
Cc: Matt Olney; snort-devel-request () lists sourceforge net; snort-users () lists sourceforge net List
Subject: Re: [Snort-users] host attribute table - feature request

If you're not seeing those stats, make sure you compiled Snort with
--enable-targetbased.

-Ryan

On Mon, Mar 22, 2010 at 4:33 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:

Matt,



No that's great -- I thought I remembered seeing something like that in my
lab at home, but thought I was losing it when I couldn't get it here in the
production environment (it was a late night coding session after all).



Thanks again,

Parker



________________________________

From: Matt Olney [mailto:molney () sourcefire com]
Sent: Monday, March 22, 2010 4:27 PM
To: Crook, Parker
Cc: Joel Esler; snort-devel-request () lists sourceforge net;
snort-users () lists sourceforge net List

Subject: Re: [Snort-users] host attribute table - feature request



In 2.8.6rc1, at least I get the following:



===============================================================================

Attribute Table Stats:

   Number Entries: 1

   Table Reloaded: 0

===============================================================================



In the Snort output.  Is that sufficient?  I'll put a feature request bug
in, but I'm just making sure this isn't what you are looking for,

Matt



On Mon, Mar 22, 2010 at 4:15 PM, Crook, Parker <Parker_Crook () reyrey com>
wrote:

Thanks Joel, I appreciate it.



-Parker

________________________________

From: Joel Esler [mailto:joel.esler () me com]
Sent: Monday, March 22, 2010 2:55 PM
To: Crook, Parker
Cc: snort-users () lists sourceforge net List;
snort-devel-request () lists sourceforge net

Subject: Re: [Snort-users] host attribute table - feature request



Parker,



I've cc'ed the snort-devel list.  I'm not aware if the developers are on the
snort-users list.



J



On Mar 22, 2010, at 1:35 PM, Crook, Parker wrote:



After speaking with Andy about getting hogger to create the host attribute
table, he asked how he would know if Snort successfully slurped up the
attribute file.  I did some checking on my installation and went through the
logs and noticed there is not any sort of indication of whether or not Snort
is using a host attribute table.



Would it be possible to add this feature so that we can receive confirmation
that we are or are not using the host attribute feature? (similar to the
message on PCAP frames)



--
Joel Esler
http://blog.joelesler.net



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
http://blog.joelesler.net



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

host attribute table - feature request Crook, Parker (Mar 22)
- Re: host attribute table - feature request Joel Esler (Mar 22)
  - Fwd: [Snort-users] host attribute table - feature request Joel Esler (Mar 22)
  - Re: host attribute table - feature request Crook, Parker (Mar 22)
    - Re: host attribute table - feature request Matt Olney (Mar 22)
    - Re: host attribute table - feature request Crook, Parker (Mar 22)
    - Re: host attribute table - feature request Ryan Jordan (Mar 22)
    - Re: host attribute table - feature request Crook, Parker (Mar 22)
    - Re: host attribute table - feature request Matt Olney (Mar 22)
    - Re: host attribute table - feature request Joel Esler (Mar 22)