Snort mailing list archives
Re: Snort Host Attribute table
From: Joel Esler <joel.esler () me com>
Date: Thu, 25 Mar 2010 12:49:26 -0400
On Mar 24, 2010, at 2:11 PM, Jason Wallace wrote:
1) I know that it plays into frag3, stream5, http_inspect, and rules. But does it also have an affect on?: ftp_telnet ftp_telnet_protocol smtp ssh dcerpc2 dcerpc2_server dns ssl I assume it would at least affect the "ports" option of these.
According to the 2.8.6 docs, it affects exactly what you put in your initial comment above (after the 1). I don't see, according to documentation, that it affects other preprocessors. I did not look at the code however.
2) I suspect, now that we have hogger to help out, more people will be migrating to using the host attribute table.
I hope so.
Right now I have a pretty complicated snort.conf to do what the host attribute table would do. For those migrating, does it make sense to simplify our detailed preprocessor setups to just match the most common hosts and let the the table handle the rest?
Exactly.
3) Kind of the same question as #2 but in relation to "var"'s. Since the table would have the IP and ports for these servers/services, does the host attribute table make the following pointless to define? var DNS_SERVERS var SMTP_SERVERS var HTTP_SERVERS var SQL_SERVERS var TELNET_SERVERS var FTP_SERVERS var SNMP_SERVERS portvar HTTP_PORTS portvar ORACLE_PORTS portvar FTP_PORTS I know without the host attribute table it is a good idea to specifically define the "*_SERVERS" vars to cut down on what is inspected, but with a host attribute table could you just set those to $HOME_NET and be done with them?
I would say yes, they are still important to configure. However, since you have such a detailed Snort.conf, I would be interested in you testing both and letting us know your results. -- Joel Esler http://blog.joelesler.net
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Tap and Hub, (continued)
- Re: Tap and Hub Eoin Miller (Mar 24)
- Message not available
- Tap and Hub D. Hofstee (Mar 24)
- Re: Tap and Hub Nick Moore (Mar 24)
- Re: Snort Host Attribute table Jason Wallace (Mar 24)
- Re: Snort Host Attribute table Jason Wallace (Mar 25)
- Re: Snort Host Attribute table Crook, Parker (Mar 25)
- Re: Snort Host Attribute table Jason Wallace (Mar 25)
- Re: Snort Host Attribute table Matt Olney (Mar 25)
- Re: Snort Host Attribute table Jason Wallace (Mar 25)
- Re: Snort Host Attribute table Joel Esler (Mar 25)
- Re: Snort Host Attribute table Joel Esler (Mar 25)