[Snort-devel] host attribute file question

Steven Sturges steve.sturges at ...402...
Tue Nov 24 15:14:30 EST 2009


Hi Jason--

No, currently, the client & service application and version attributes
are still ignored.

Thats an interesting configuration you have... I'll add an enhancement
request to our queue.  Not sure of the impact of adding it, so
no promises on a time frame.

Cheers.
-steve

Jason Wallace wrote:
> I sent this to the snort-users list, and was asked to send it the
> devel list also. Any help would be appreciated.
> 
> Per the docs...
> 
> With Snort 2.8.1, for a given host entry, the stream and IP frag
> information are both used. Of the service
> attributes, only the IP protocol (tcp, udp, etc), port, and protocol
> (http, ssh, etc) are used. The application
> and version for a given service attribute, and any client attributes
> are ignored. They will be used in a future
> release.
> 
> Is the application and version still not used? I'd like to define the
> application in the hopes that http_inspect it will choose the correct
> profile for IIS and Apache. I can not do the following in
> snort.conf...
> 
> preprocessor http_inspect_server: server 10.75.88.11 \
>                                 profile iis \
>                                 server_flow_depth 0 \
>                                 client_flow_depth 0 \
>                                 ports { 80 }
> 
> preprocessor http_inspect_server: server 10.75.88.11 \
>                                 profile apache \
>                                 server_flow_depth 0 \
>                                 client_flow_depth 0 \
>                                 ports { 8080 }
> 
> Since they have the same IP address only the last one in the config
> file is used. I can tell this because detect_anomalous_servers will
> still trigger an alert on the first one even though both are in the
> config.
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list