Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Host attribute table validation / usage

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 31 Oct 2011 08:37:20 -0400
On Oct 29, 2011, at 3:09 AM, Enrico Papi wrote:


we are creating host attribute tables, with our script, from Nmap scans 
for every snort instance we have.

The generated XMLs have the same structure described by the dtd included 
in the sources and covers almost all the attributes defined in the 
example at paragraph  2.7.2 of the Snort manual.

However we have omitted, in the final XML, these tags:

1) The whole 'attribute map' tag is omitted because we simply
specify 'Linux' or 'ssh' every time with the script

<ATTRIBUTE_MAP>
    <ENTRY>
        <ID>1</ID>
        <VALUE>Linux</VALUE>
    </ENTRY>
    <ENTRY>
        <ID>2</ID>
        <VALUE>ssh</VALUE>
    </ENTRY>
</ATTRIBUTE_MAP>

2)Every value in the services specification contains the tag confidence.
      <CONFIDENCE>100</CONFIDENCE>
We have omitted this.


3) We are not writing in the xml the vendor and the attribute tags.
for every host operating system,

<VENDOR>
    <ATTRIBUTE_VALUE>Red Hat</ATTRIBUTE_VALUE
    <CONFIDENCE>99</CONFIDENCE>
</VENDOR>
<VERSION>
    <ATTRIBUTE_VALUE>2.6</ATTRIBUTE_VALUE>
    <CONFIDENCE>98</CONFIDENCE>
</VERSION>



In the end when we try to validate with xmllint the schema of our xmls 
it fails for those differences i have written.

xmllint --valid --dtdvalid dtd_schema.dtd our_xml.xml



I doubt this tool will validate the syntax, as it doesn't actually start with the opening xml tag.  This is Snort's 
format, it just looks like XML.


I would like to know from you if these field are needed and if so, what 
we should put in if we have no value and they are currently not used by 
the snort parser.

One more important question for us:

How can we know that Snort have loaded the host details specified in the 
xml attribute table files after we add the following line in snort.conf?

attribute_table filename our_xml.xml



On startup you should see an indication that the attribute table is being used.  Please look at your Snort start up.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: