[Snort-devel] host attribute file question

Steven Sturges steve.sturges at ...402...
Tue Nov 24 15:16:13 EST 2009


As a side note, you might try the profile 'all' in that
scenario.  It really comes down to how the servers handle
spaces/tabs and other things in the request.

-s

Jason Wallace wrote:
> I sent this to the snort-users list, and was asked to send it the
> devel list also. Any help would be appreciated.
> 
> Per the docs...
> 
> With Snort 2.8.1, for a given host entry, the stream and IP frag
> information are both used. Of the service
> attributes, only the IP protocol (tcp, udp, etc), port, and protocol
> (http, ssh, etc) are used. The application
> and version for a given service attribute, and any client attributes
> are ignored. They will be used in a future
> release.
> 
> Is the application and version still not used? I'd like to define the
> application in the hopes that http_inspect it will choose the correct
> profile for IIS and Apache. I can not do the following in
> snort.conf...
> 
> preprocessor http_inspect_server: server 10.75.88.11 \
>                                 profile iis \
>                                 server_flow_depth 0 \
>                                 client_flow_depth 0 \
>                                 ports { 80 }
> 
> preprocessor http_inspect_server: server 10.75.88.11 \
>                                 profile apache \
>                                 server_flow_depth 0 \
>                                 client_flow_depth 0 \
>                                 ports { 8080 }
> 
> Since they have the same IP address only the last one in the config
> file is used. I can tell this because detect_anomalous_servers will
> still trigger an alert on the first one even though both are in the
> config.
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list