Re: Hosts Attribute exception/override?

["Joel Esler (jesler)" <jesler () cisco com>]

You are right.  I know we are working on an option for this.  I am not sure what version it is slated for.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group

On Apr 17, 2015, at 12:25 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:

Any update on this?

It makes me wonder if I’m missing anything due to the hosts_attribute table not being 100% “right”.  The behaviour is 
also not very intuitive, imo.


From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: January 22, 2015 5:11 PM
To: Jefferson, Shawn
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Hosts Attribute exception/override?

:) we are designing something now.
--
Joel Esler
Sent from my iPhone

On Jan 22, 2015, at 7:29 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:
Thanks, I’ll try to script that into the process.

On this topic though, I was thinking, should the hosts attribute system be over-riding ports that are defined in the 
snort.conf like this?  I can see it adding ports that it knows run a specific service, but if I am telling it that 3128 
is an HTTP port in my snort.conf shouldn’t it honor that?

From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: January 22, 2015 1:46 PM
To: Jefferson, Shawn
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Hosts Attribute exception/override?

Add an additional entry for that port in the Attribute table for that host.


On Jan 22, 2015, at 2:48 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:

I recently made some changes on the network, and was trying to get alerting setup for a proxy server.  I had some 
trouble and finally tracked it down to the hosts attribute entry for my proxy.  I’m using PRADS and shipping that file 
to all my sensors.  Basically what had happened was that PRADS thinks that the proxy port 3128 is TLS/SSL, which it can 
be, but it’s also HTTP.  Snort was completely ignoring the HTTP traffic for that port, even though I had 3128 in all 
the right places in the snort.conf, and treating the proxy as EXTERNAL_NET.

Is there a method to override the hosts attribute table, or should I strip this system out before sending it to this 
particular sensor that is watching the proxy traffic?

Thanks
Shawn
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!