Re: Hogger 0.1.3 released

[Joel Esler <joel.esler () me com>]

Max number of hosts in the attribute table is 512k. Default for Snort  
is 10000.

--
Joel Esler
Sent from my iPhone

On Mar 23, 2010, at 2:16 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com 
> wrote:

> Thanks, that makes sense.  How about the size of the attribute  
> table?  If I scan every host in my environment the file may get  
> quite large.  What are the memory requirements of the host attribute  
> table?
>
>
>
> From: Crook, Parker [mailto:Parker_Crook () reyrey com]
> Sent: Tuesday, March 23, 2010 10:12 AM
> To: Jefferson, Shawn; Joel Esler; Andy Berryman
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Hogger 0.1.3 released
>
>
>
> No downside really… for hosts that are not specified in the xml, the 
> y revert to the default policy for each respective preprocessor, e.g.:
>
> preprocessor frag3_engine: policy windows detect_anomalies  
> overlap_limit 10
>
>
>
> I may have an environment that is mostly made up of windows boxes,  
> but I have scanned everything else and those hosts are represented  
> in the xml, so I changed my base policy to treat all other hosts as  
> windows boxes (of course you can substitute this for what is good  
> for your environment.
>
>
>
> As far as the rules side goes… since your xml can detail services on 
>  nonstandard ports, say you have a box that is running http on port  
> 2000, and you have a rule with a header of:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
>
> but that rule contains “metadata:service http;”
>
> Snort will also inspect port 2000 traffic for that host as well  
> since it is defined as http traffic.
>
> Again, if an IP is not detailed in the attribute table, Snort will  
> process the rule as it normally would, ie, on port 80 traffic for  
> the host.
>
>
>
> I hope I wasn’t too terse and that makes sense, but I have to run to 
>  a meeting and had to cut it short.
>
> -Parker
>
> From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
> Sent: Tuesday, March 23, 2010 1:02 PM
> To: Joel Esler; Andy Berryman
> Cc: Crook, Parker; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Hogger 0.1.3 released
>
>
>
> Is there any downside to using it?  If the IP address is not in the  
> host attribute table will it still be monitored as per normal?
>
>
>
> From: Joel Esler [mailto:joel.esler () me com]
> Sent: Tuesday, March 23, 2010 9:45 AM
> To: Andy Berryman
> Cc: Crook, Parker; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Hogger 0.1.3 released
>
>
>
> Glad to see people are using this.  It makes the set up of the  
> network as far as Snort sees it (preprocessors, rules, etc) much  
> much easier, and protects against much more.
>
>
>
> Joel
>
>
>
> On Mar 23, 2010, at 11:51 AM, Andy Berryman wrote:
>
>
>
> So, I have hogger running and it slurpped in my XML file and I see  
> it in the syslog that it loaded it. Thanks for the help!
>
>
>
> --
> Joel Esler
> http://blog.joelesler.net
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users