Snort mailing list archives
Re: Hosts Attribute exception/override?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 17 Apr 2015 18:26:46 +0000
You are right. I know we are working on an option for this. I am not sure what version it is slated for. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Apr 17, 2015, at 12:25 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Any update on this? It makes me wonder if I’m missing anything due to the hosts_attribute table not being 100% “right”. The behaviour is also not very intuitive, imo. From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: January 22, 2015 5:11 PM To: Jefferson, Shawn Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Hosts Attribute exception/override? :) we are designing something now. -- Joel Esler Sent from my iPhone On Jan 22, 2015, at 7:29 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Thanks, I’ll try to script that into the process. On this topic though, I was thinking, should the hosts attribute system be over-riding ports that are defined in the snort.conf like this? I can see it adding ports that it knows run a specific service, but if I am telling it that 3128 is an HTTP port in my snort.conf shouldn’t it honor that? From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: January 22, 2015 1:46 PM To: Jefferson, Shawn Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Hosts Attribute exception/override? Add an additional entry for that port in the Attribute table for that host. On Jan 22, 2015, at 2:48 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: I recently made some changes on the network, and was trying to get alerting setup for a proxy server. I had some trouble and finally tracked it down to the hosts attribute entry for my proxy. I’m using PRADS and shipping that file to all my sensors. Basically what had happened was that PRADS thinks that the proxy port 3128 is TLS/SSL, which it can be, but it’s also HTTP. Snort was completely ignoring the HTTP traffic for that port, even though I had 3128 in all the right places in the snort.conf, and treating the proxy as EXTERNAL_NET. Is there a method to override the hosts attribute table, or should I strip this system out before sending it to this particular sensor that is watching the proxy traffic? Thanks Shawn ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Hosts Attribute exception/override? Jefferson, Shawn (Apr 17)
- Re: Hosts Attribute exception/override? Joel Esler (jesler) (Apr 17)