Re: Use of Host Attribute table, Frag3, and Stream 5 question

["Crook, Parker" <Parker_Crook () reyrey com>]

Exactly

  _____

From: Andy Berryman [mailto:aberryman () Cymtec com]
Sent: Thursday, April 29, 2010 2:47 PM
To: Crook, Parker; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question



Gotcha. So it uses the host attribute table and configures the policies that way. Then if a machine is seen that isn't 
in the table, it uses the policy that's in the snort.conf file, if I'm understanding correctly.



From: Crook, Parker [mailto:Parker_Crook () reyrey com]
Sent: Thursday, April 29, 2010 1:43 PM
To: Andy Berryman; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question



Andy,



The "policy first" portion of the frag3 engine tells snort the default frag3 reassembly behavior - to reassemble all 
undefined hosts according to "first" rules in this case (MacOS, and BSD follow this interpretation of the RFCs for 
fragmented packet reassembly).



If hosts are defined in a host attribute table, then packets will be assembled according to their definition in that 
table.



The way I run my frag3 (& stream5) default behavior, is to set the default policy to whatever systems make up the 
majority of my network, that way if I miss a host in the host attribute table, I have a higher percentage chance of 
correct packet and stream reassembly.  IE, if 80% of my hosts are running Windows 2003+ servers, I would set :

preprocessor frag3_engine: policy Windows detect anomalies timeout 180

&

preprocessor stream5_engine: policy windows2003, use_static_footprint_sizes



I hope that covers all that you asked about,

Parker



  _____

From: Andy Berryman [mailto:aberryman () Cymtec com]
Sent: Thursday, April 29, 2010 1:25 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question



If I'm using a host attribute table that I generated with nmap and Hogger, but my snort.conf only has these two lines:



preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies timeout 180



What will it do when it gets to a host in the attribute table that is a linux machine or a Cisco IOS? Will the 
attribute file basically only be good for the OS's that are the "first" category? Meaning that I'm really only using 
the attribute table to look at the hosts that are running Windows, MacOS, or HP-UX?



I know I can specify more "policies" in the snort.conf but, I have to bind IP's to that policy. Which can be time 
consuming when machines are constantly being added and removed.





Thanks,

Andy Berryman



  _____

This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) 
named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, 
you are hereby notified that you have received this message in error and that any review, disclosure, copying, 
distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, 
please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.

  _____



  _____

This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) 
named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, 
you are hereby notified that you have received this message in error and that any review, disclosure, copying, 
distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, 
please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.

  _____



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users