Re: Attribute Table question

["Joel Esler (jesler)" <jesler () cisco com>]

No, it will not break anything.

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Manager
Vulnerability Research Team, Sourcefire

On Nov 18, 2013, at 10:19 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote:

Thanks Jefferson,

Does anyone know if adding the "metadata: service " tags to our rules break anything if we don't have any entries in 
the attribute table?

Thanks,
Ed

Sent from a mobile device.

On Nov 14, 2013, at 12:59 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:

The attribute table allows Snort to know what OS is running on what IP addresses to know what Stream5 and Frag policies 
to apply.  As well as identifying services running on non-standard ports (HTTP on strange numbered ports for instance.) 
 What I'm doing is running prads on my packet capture box to build an attribute table and then pushing this down to the 
sensors.

The only issue I've run into is that over time (years) my attribute table has grown quite large and I don't think prads 
currently has any automatic pruning mechanism (that would be a nice feature to add: a metadata field for last seen time 
stamp and then a command line switch to prune after so many days not seen.)

http://gamelinux.github.io/prads/



-----Original Message-----
From: SnortFan [mailto:SnortFan () yahoo com]
Sent: November 14, 2013 8:07 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Attribute Table question

Hi All,
   I've got a question regarding the attribute table feature of snort.

I work at a company where the group (mine) that is responsible for running the snort sensors is not the group that 
administers the network and servers we monitor. In fact each department has their open IT shop and we are tasked to 
monitor traffic between departments, coming in and going out of the company. We have not been using the attribute table 
feature in snort.  We want to see alerts on all traffic regardless on type and we don't know what IP is hosting what 
service. It looks like using the attributes table would make rules that don't fit it's expected protocol type to be 
ignored.

One of the departments is now putting in a commercial source fire product and wants our custom rules with metadata: 
service tags to monitor their internal traffic.

1. In our situation where we don't control the ever changing IP space we monitor would using the attributes table 
feature be even possible or helpful?

2. Would adding the "metadata: service " tags to our rules break anything if we don't have any entries in the attribute 
table?

3. Am I totally miss understanding what the attribute table does?

Thanks,
Ed
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage 
and External API Access Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!