Snort mailing list archives
Re: Host attribute table validation / usage
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 31 Oct 2011 08:37:20 -0400
On Oct 29, 2011, at 3:09 AM, Enrico Papi wrote:
we are creating host attribute tables, with our script, from Nmap scans for every snort instance we have. The generated XMLs have the same structure described by the dtd included in the sources and covers almost all the attributes defined in the example at paragraph 2.7.2 of the Snort manual. However we have omitted, in the final XML, these tags: 1) The whole 'attribute map' tag is omitted because we simply specify 'Linux' or 'ssh' every time with the script <ATTRIBUTE_MAP> <ENTRY> <ID>1</ID> <VALUE>Linux</VALUE> </ENTRY> <ENTRY> <ID>2</ID> <VALUE>ssh</VALUE> </ENTRY> </ATTRIBUTE_MAP> 2)Every value in the services specification contains the tag confidence. <CONFIDENCE>100</CONFIDENCE> We have omitted this. 3) We are not writing in the xml the vendor and the attribute tags. for every host operating system, <VENDOR> <ATTRIBUTE_VALUE>Red Hat</ATTRIBUTE_VALUE <CONFIDENCE>99</CONFIDENCE> </VENDOR> <VERSION> <ATTRIBUTE_VALUE>2.6</ATTRIBUTE_VALUE> <CONFIDENCE>98</CONFIDENCE> </VERSION> In the end when we try to validate with xmllint the schema of our xmls it fails for those differences i have written. xmllint --valid --dtdvalid dtd_schema.dtd our_xml.xml
I doubt this tool will validate the syntax, as it doesn't actually start with the opening xml tag. This is Snort's format, it just looks like XML.
I would like to know from you if these field are needed and if so, what we should put in if we have no value and they are currently not used by the snort parser. One more important question for us: How can we know that Snort have loaded the host details specified in the xml attribute table files after we add the following line in snort.conf? attribute_table filename our_xml.xml
On startup you should see an indication that the attribute table is being used. Please look at your Snort start up. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ Get your Android app more play: Bring it to the BlackBerry PlayBook in minutes. BlackBerry App World™ now supports Android™ Apps for the BlackBerry® PlayBook™. Discover just how easy and simple it is! http://p.sf.net/sfu/android-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Host attribute table validation / usage Enrico Papi (Oct 29)
- Re: Host attribute table validation / usage Joel Esler (Oct 31)