Snort mailing list archives
Re: Hogger 0.1.3 released
From: Joel Esler <joel.esler () me com>
Date: Tue, 23 Mar 2010 14:18:55 -0400
Max number of hosts in the attribute table is 512k. Default for Snort is 10000.
-- Joel Esler Sent from my iPhoneOn Mar 23, 2010, at 2:16 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com > wrote:
Thanks, that makes sense. How about the size of the attribute table? If I scan every host in my environment the file may get quite large. What are the memory requirements of the host attribute table?From: Crook, Parker [mailto:Parker_Crook () reyrey com] Sent: Tuesday, March 23, 2010 10:12 AM To: Jefferson, Shawn; Joel Esler; Andy Berryman Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Hogger 0.1.3 releasedNo downside really… for hosts that are not specified in the xml, the y revert to the default policy for each respective preprocessor, e.g.:preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10I may have an environment that is mostly made up of windows boxes, but I have scanned everything else and those hosts are represented in the xml, so I changed my base policy to treat all other hosts as windows boxes (of course you can substitute this for what is good for your environment.As far as the rules side goes… since your xml can detail services on nonstandard ports, say you have a box that is running http on port 2000, and you have a rule with a header of:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 but that rule contains “metadata:service http;”Snort will also inspect port 2000 traffic for that host as well since it is defined as http traffic.Again, if an IP is not detailed in the attribute table, Snort will process the rule as it normally would, ie, on port 80 traffic for the host.I hope I wasn’t too terse and that makes sense, but I have to run to a meeting and had to cut it short.-Parker From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Tuesday, March 23, 2010 1:02 PM To: Joel Esler; Andy Berryman Cc: Crook, Parker; snort-users () lists sourceforge net Subject: RE: [Snort-users] Hogger 0.1.3 releasedIs there any downside to using it? If the IP address is not in the host attribute table will it still be monitored as per normal?From: Joel Esler [mailto:joel.esler () me com] Sent: Tuesday, March 23, 2010 9:45 AM To: Andy Berryman Cc: Crook, Parker; snort-users () lists sourceforge net Subject: Re: [Snort-users] Hogger 0.1.3 releasedGlad to see people are using this. It makes the set up of the network as far as Snort sees it (preprocessors, rules, etc) much much easier, and protects against much more.Joel On Mar 23, 2010, at 11:51 AM, Andy Berryman wrote:So, I have hogger running and it slurpped in my XML file and I see it in the syslog that it loaded it. Thanks for the help!-- Joel Esler http://blog.joelesler.net
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hogger 0.1.3 released Crook, Parker (Mar 10)
- <Possible follow-ups>
- Re: Hogger 0.1.3 released Andy Berryman (Mar 22)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Andy Berryman (Mar 22)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Andy Berryman (Mar 23)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)
- Re: Hogger 0.1.3 released Jefferson, Shawn (Mar 23)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 23)
- Re: Hogger 0.1.3 released Jefferson, Shawn (Mar 23)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)