[Snort-devel] [Snort-users] Interested in developing a preprocessor; want all the documentation I can get.

Victor Roemer vroemer at ...402...
Wed Aug 14 16:31:22 EDT 2013


On Wed, Aug 14, 2013 at 2:52 PM, Jefferson, Shawn <
Shawn.Jefferson at ...3132...> wrote:

> Hi Tony,****
>
> ** **
>
> I have a setup that does pretty much this.  Here’s what I do:****
>
> ** **
>
> One server captures all packets from my network taps, and using prads,
> builds the hosts_attribute table and sends that on a schedule over to my
> snort boxes.  Pretty simple.****
>
> ** **
>
> The problem I have is that I’ve been running this for so long, that I have
> a huge hosts attribute file, over 10000 hosts which is the limit.  Does
> anyone know, is there a configuration to increase this limit?****
>
> **
>
config max_attribute_hosts: N

Maximum value is 524288

> **
>
> It would be an interesting patch to have prads track how long it’s been
> since it’s seen a host and automatically prune it from the file if it’s
> been over a certain threshold.****
>
> ** **
>
> ** **
>
> *From:* Tony Robinson [mailto:deusexmachina667 at ...2499...]
> *Sent:* Tuesday, August 13, 2013 4:27 PM
> *To:* Joel Esler
> *Cc:* snort-users at lists.sourceforge.net; Rodrigo Montoro; mailinglist
> mailinglist
> *Subject:* Re: [Snort-users] [Snort-devel] Interested in developing a
> preprocessor; want all the documentation I can get.****
>
> ** **
>
> appreciate all the feedback. apologies for the delay sleeping, work, etc.
> you get the idea.****
>
> I was thinking DAQ is where I would want to look as well, but I was under
> the impression that DAQ essentially takes the place of libpcap -- you're
> using DAQ to grab the raw traffic off the wire before passing it to snort
> for "cleanup" and other purposes. I don't know if this assertion is correct
> or not -- I mean, is daq used to pass reassembled traffic between
> preprocessors?
>
>  I'm not a dev either, just another infosec enthusiast and I just thought
> that this would be something awesome since snort is really good at
> reassembling traffic and prads/p0f could totally take advantage of
> reassembled streams for service and OS detection. This in turn can create a
> feedback loop for building reassembly policies and (eventually) be used to
> make suggestions for rules to enable/disable via pulled pork or another
> rule management tool.****
>
> ** **
>
> On Tue, Aug 13, 2013 at 8:56 AM, Joel Esler <jesler at ...402...> wrote:
> ****
>
> On Aug 12, 2013, at 9:52 PM, Tony Robinson <deusexmachina667 at ...2499...>
> wrote:****
>
>
>
> ****
>
> this gives me a good starting point... Do you or anyone else for that
> matter know if the starter kit is compatible with the latest snort
> versions? I'm assuming so, since the web page refers to snort 2.9.4.x while
> the text doc in the tarball refers to snort 2.9.0.x****
>
> also specifically what I'm looking to do is take normalized traffic in
> either a passive or inline config and pass the cleaned up/reassembled
> traffic to prads or p0f for more accurate host detection, and in turn prads
> or p0f could be used to build more accurate stream 5 or frag 3 host
> policies.. makes sense, no?****
>
> ** **
>
> It’s compatible.****
>
> ** **
>
>
>
>
> --
> when does reality end? when does fantasy begin? ****
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130814/a9ae1cde/attachment.html>


More information about the Snort-devel mailing list