Snort mailing list archives
Re: Hogger 0.1.3 released
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 23 Mar 2010 12:16:36 -0600
Thanks, that makes sense. How about the size of the attribute table? If I scan every host in my environment the file may get quite large. What are the memory requirements of the host attribute table? ________________________________ From: Crook, Parker [mailto:Parker_Crook () reyrey com] Sent: Tuesday, March 23, 2010 10:12 AM To: Jefferson, Shawn; Joel Esler; Andy Berryman Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Hogger 0.1.3 released No downside really... for hosts that are not specified in the xml, they revert to the default policy for each respective preprocessor, e.g.: preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 I may have an environment that is mostly made up of windows boxes, but I have scanned everything else and those hosts are represented in the xml, so I changed my base policy to treat all other hosts as windows boxes (of course you can substitute this for what is good for your environment. As far as the rules side goes... since your xml can detail services on nonstandard ports, say you have a box that is running http on port 2000, and you have a rule with a header of: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 but that rule contains "metadata:service http;" Snort will also inspect port 2000 traffic for that host as well since it is defined as http traffic. Again, if an IP is not detailed in the attribute table, Snort will process the rule as it normally would, ie, on port 80 traffic for the host. I hope I wasn't too terse and that makes sense, but I have to run to a meeting and had to cut it short. -Parker ________________________________ From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Tuesday, March 23, 2010 1:02 PM To: Joel Esler; Andy Berryman Cc: Crook, Parker; snort-users () lists sourceforge net Subject: RE: [Snort-users] Hogger 0.1.3 released Is there any downside to using it? If the IP address is not in the host attribute table will it still be monitored as per normal? ________________________________ From: Joel Esler [mailto:joel.esler () me com] Sent: Tuesday, March 23, 2010 9:45 AM To: Andy Berryman Cc: Crook, Parker; snort-users () lists sourceforge net Subject: Re: [Snort-users] Hogger 0.1.3 released Glad to see people are using this. It makes the set up of the network as far as Snort sees it (preprocessors, rules, etc) much much easier, and protects against much more. Joel On Mar 23, 2010, at 11:51 AM, Andy Berryman wrote: So, I have hogger running and it slurpped in my XML file and I see it in the syslog that it loaded it. Thanks for the help! -- Joel Esler http://blog.joelesler.net
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hogger 0.1.3 released Crook, Parker (Mar 10)
- <Possible follow-ups>
- Re: Hogger 0.1.3 released Andy Berryman (Mar 22)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Andy Berryman (Mar 22)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Andy Berryman (Mar 23)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)
- Re: Hogger 0.1.3 released Jefferson, Shawn (Mar 23)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 23)
- Re: Hogger 0.1.3 released Jefferson, Shawn (Mar 23)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)