Re: Hogger 0.1.3 released

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Thanks, that makes sense.  How about the size of the attribute table?  If I scan every host in my environment the file 
may get quite large.  What are the memory requirements of the host attribute table?

________________________________
From: Crook, Parker [mailto:Parker_Crook () reyrey com]
Sent: Tuesday, March 23, 2010 10:12 AM
To: Jefferson, Shawn; Joel Esler; Andy Berryman
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Hogger 0.1.3 released

No downside really... for hosts that are not specified in the xml, they revert to the default policy for each 
respective preprocessor, e.g.:
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10

I may have an environment that is mostly made up of windows boxes, but I have scanned everything else and those hosts 
are represented in the xml, so I changed my base policy to treat all other hosts as windows boxes (of course you can 
substitute this for what is good for your environment.

As far as the rules side goes... since your xml can detail services on nonstandard ports, say you have a box that is 
running http on port 2000, and you have a rule with a header of:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
but that rule contains "metadata:service http;"
Snort will also inspect port 2000 traffic for that host as well since it is defined as http traffic.
Again, if an IP is not detailed in the attribute table, Snort will process the rule as it normally would, ie, on port 
80 traffic for the host.

I hope I wasn't too terse and that makes sense, but I have to run to a meeting and had to cut it short.
-Parker
________________________________
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: Tuesday, March 23, 2010 1:02 PM
To: Joel Esler; Andy Berryman
Cc: Crook, Parker; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Hogger 0.1.3 released

Is there any downside to using it?  If the IP address is not in the host attribute table will it still be monitored as 
per normal?

________________________________
From: Joel Esler [mailto:joel.esler () me com]
Sent: Tuesday, March 23, 2010 9:45 AM
To: Andy Berryman
Cc: Crook, Parker; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Hogger 0.1.3 released

Glad to see people are using this.  It makes the set up of the network as far as Snort sees it (preprocessors, rules, 
etc) much much easier, and protects against much more.

Joel

On Mar 23, 2010, at 11:51 AM, Andy Berryman wrote:

So, I have hogger running and it slurpped in my XML file and I see it in the syslog that it loaded it. Thanks for the 
help!

--
Joel Esler
http://blog.joelesler.net

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users