Snort mailing list archives
Re: Attribute Table question
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 18 Nov 2013 17:37:10 +0000
No, it will not break anything. -- Joel Esler AEGIS Intelligence Lead OpenSource Manager Vulnerability Research Team, Sourcefire On Nov 18, 2013, at 10:19 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote: Thanks Jefferson, Does anyone know if adding the "metadata: service " tags to our rules break anything if we don't have any entries in the attribute table? Thanks, Ed Sent from a mobile device. On Nov 14, 2013, at 12:59 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: The attribute table allows Snort to know what OS is running on what IP addresses to know what Stream5 and Frag policies to apply. As well as identifying services running on non-standard ports (HTTP on strange numbered ports for instance.) What I'm doing is running prads on my packet capture box to build an attribute table and then pushing this down to the sensors. The only issue I've run into is that over time (years) my attribute table has grown quite large and I don't think prads currently has any automatic pruning mechanism (that would be a nice feature to add: a metadata field for last seen time stamp and then a command line switch to prune after so many days not seen.) http://gamelinux.github.io/prads/ -----Original Message----- From: SnortFan [mailto:SnortFan () yahoo com] Sent: November 14, 2013 8:07 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Attribute Table question Hi All, I've got a question regarding the attribute table feature of snort. I work at a company where the group (mine) that is responsible for running the snort sensors is not the group that administers the network and servers we monitor. In fact each department has their open IT shop and we are tasked to monitor traffic between departments, coming in and going out of the company. We have not been using the attribute table feature in snort. We want to see alerts on all traffic regardless on type and we don't know what IP is hosting what service. It looks like using the attributes table would make rules that don't fit it's expected protocol type to be ignored. One of the departments is now putting in a commercial source fire product and wants our custom rules with metadata: service tags to monitor their internal traffic. 1. In our situation where we don't control the ever changing IP space we monitor would using the attributes table feature be even possible or helpful? 2. Would adding the "metadata: service " tags to our rules break anything if we don't have any entries in the attribute table? 3. Am I totally miss understanding what the attribute table does? Thanks, Ed ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Attribute Table question SnortFan (Nov 14)
- Re: Attribute Table question Jefferson, Shawn (Nov 14)
- Re: Attribute Table question SnortFan (Nov 18)
- Re: Attribute Table question Joel Esler (jesler) (Nov 18)
- Re: Attribute Table question SnortFan (Nov 18)
- Re: Attribute Table question Jefferson, Shawn (Nov 14)