[Snort-users] host attribute file question

Jason Wallace jason.r.wallace at ...11827...
Tue Nov 24 11:15:51 EST 2009

Per the docs...

With Snort 2.8.1, for a given host entry, the stream and IP frag
information are both used. Of the service
attributes, only the IP protocol (tcp, udp, etc), port, and protocol
(http, ssh, etc) are used. The application
and version for a given service attribute, and any client attributes
are ignored. They will be used in a future

Is the application and version still not used? I'd like to define the
application in the hopes that http_inspect it will choose the correct
profile for IIS and Apache. I can not do the following in

preprocessor http_inspect_server: server \
                                 profile iis \
                                 server_flow_depth 0 \
                                 client_flow_depth 0 \
                                 ports { 80 }

preprocessor http_inspect_server: server \
                                 profile apache \
                                 server_flow_depth 0 \
                                 client_flow_depth 0 \
                                 ports { 8080 }

Since they have the same IP address only the last one in the config
file is used. I can tell this because detect_anomalous_servers will
still trigger an alert on the first one even though both are in the

More information about the Snort-users mailing list