Snort mailing list archives

Re: Understanding MetaData

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 6 Dec 2015 18:54:30 +0000

In the FirePOWER product, service is detected, not reliant on port. So, the "service" metadata is automatic in the
product.

However, in open source Snort, you either have to use openappid to detect the services, or you have to specify them
using a static file, called the Host Attributes table. xml based, you're correct.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

On Dec 6, 2015, at 1:50 PM, paul meding <medingtac () gmail com<mailto:medingtac () gmail com>> wrote:

Not snort answer per se but metadata is to bring context to network traffic. Magic numbers can identify applications,
filetypes, etc based upon the offsets that are used in their implementations. in this way if someone renames for
example a .zip file as a .abc to bypass filtering, metadata creation will still identify it as a .zip file due to the
raw packets. same way that if someone sends http traffic across a non http port ...it is still identified as http just
over non standard port. Snort can create and act off metadata as well as some other network free tools like netminer
and RSA's investigator that you c an download and further see how metadata can make your analysis much more effective
and make you a faster analyst.

meta can be used to identify filetypes, applications, geo, match domain malware lists, protocols, flags, payload
statistics, so many things it would be impossible to list them all. In snort it's used so even if traffic isnt on the
typical port used by ssh for example, its still identified as such so it can't be fooled by our wonderful advanced
adversaries we are looking to thwart.

Paul

On Sun, Dec 6, 2015 at 11:53 AM, Rafael Leiva-Ochoa <spawn () rloteck net<mailto:spawn () rloteck net>> wrote:
Any takers...

On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn () rloteck net<mailto:spawn () rloteck net>> wrote:
Hi All,

I am trying to understand how "metadata: service http" and other service types work.

I tried reading these documents:

http://manual.snort.org/node323.html

and

http://manual.snort.org/node22.html#targetbased

But, I am still a bit confused..: (

As I read, the document, it stated the following: "The service Metadata Key is only meaningful when a Host Attribute
Table is provided".

The confusing part is a lot of Talos signatures us "metadata: service http", but there is no Host Attribute Tables
created for that by default when I installed snort. How are those signatures going to work without it?

On the snort.conf there is no setting to tell snort to load the Attributes XML's. How is that done?

I also tried creating a custom rule on the local.rules file to better my understanding of "metadata service" using
"ssh", but it does not fire when I use it. It only works when I remove the "service ssh".

here is the rule:

alert tcp $HOME_NET any -> $HOME_NET 22 ( \

msg:"SSH Brute Force Attempt"; \

flow:established,to_server; \

content:"SSH"; nocase; offset:0; depth:4; \

detection_filter:track by_src, count 3, seconds 60; \

sid:1000001; metadata:service ssh; rev:1;)

My understanding of metadata is that it is used to detect that someone is using a service not based on the port, but
based on what the protocol is exhibiting. From example, if I ssh to a server using port 4598, which is not a standard
ssh port, the "metadata service ssh" will be able to see it is ssh even though I had port 22 on the signature for the
destination port.

Any input and answers would be great.

Thanks,

Rafael

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Understanding MetaData Rafael Leiva-Ochoa (Dec 04)
- Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)
  - Re: Understanding MetaData paul meding (Dec 06)
    - Re: Understanding MetaData Joel Esler (jesler) (Dec 06)
    - Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 06)
    - Re: Understanding MetaData Al Lewis (allewi) (Dec 06)
    - Re: Understanding MetaData Joel Esler (jesler) (Dec 07)
    - Re: Understanding MetaData Rafael Leiva-Ochoa (Dec 07)