Snort mailing list archives
Re: Understanding MetaData
From: Rafael Leiva-Ochoa <spawn () rloteck net>
Date: Sun, 6 Dec 2015 09:53:31 -0800
Any takers... On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn () rloteck net> wrote:
Hi All,
I am trying to understand how "metadata: service http" and other
service types work.
I tried reading these documents:
http://manual.snort.org/node323.html
and
http://manual.snort.org/node22.html#targetbased
But, I am still a bit confused..: (
As I read, the document, it stated the following: "The service Metadata
Key is only meaningful when a Host Attribute Table is provided".
The confusing part is a lot of Talos signatures us "metadata:
service http", but there is no Host Attribute Tables created for that by
default when I installed snort. How are those signatures going to work
without it?
On the snort.conf there is no setting to tell snort to load the Attributes
XML's. How is that done?
I also tried creating a custom rule on the local.rules file to better my
understanding of "metadata service" using "ssh", but it does not fire when
I use it. It only works when I remove the "service ssh".
here is the rule:
alert tcp $HOME_NET any -> $HOME_NET 22 ( \
msg:"SSH Brute Force Attempt"; \
flow:established,to_server; \
content:"SSH"; nocase; offset:0; depth:4; \
detection_filter:track by_src, count 3, seconds 60; \
sid:1000001; metadata:service ssh; rev:1;)
My understanding of metadata is that it is used to detect that someone is
using a service not based on the port, but based on what the protocol is
exhibiting. From example, if I ssh to a server using port 4598, which is
not a standard ssh port, the "metadata service ssh" will be able to see it
is ssh even though I had port 22 on the signature for the destination port.
Any input and answers would be great.
Thanks,
Rafael
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding MetaData Rafael Leiva-Ochoa (Dec 04)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)
- Re: Understanding MetaData paul meding (Dec 06)
- Re: Understanding MetaData Joel Esler (jesler) (Dec 06)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)
- Re: Understanding MetaData Al Lewis (allewi) (Dec 06)
- Re: Understanding MetaData Joel Esler (jesler) (Dec 07)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 07)
- Re: Understanding MetaData paul meding (Dec 06)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)