[Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question

Crook, Parker Parker_Crook at ...14786...
Thu Apr 29 14:42:31 EDT 2010


The "policy first" portion of the frag3 engine tells snort the default frag3 reassembly behavior - to reassemble all undefined hosts according to "first" rules in this case (MacOS, and BSD follow this interpretation of the RFCs for fragmented packet reassembly).

If hosts are defined in a host attribute table, then packets will be assembled according to their definition in that table.

The way I run my frag3 (& stream5) default behavior, is to set the default policy to whatever systems make up the majority of my network, that way if I miss a host in the host attribute table, I have a higher percentage chance of correct packet and stream reassembly.  IE, if 80% of my hosts are running Windows 2003+ servers, I would set :

preprocessor frag3_engine: policy Windows detect anomalies timeout 180


preprocessor stream5_engine: policy windows2003, use_static_footprint_sizes

I hope that covers all that you asked about,



From: Andy Berryman [mailto:aberryman at ...14765...]
Sent: Thursday, April 29, 2010 1:25 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question

If I'm using a host attribute table that I generated with nmap and Hogger, but my snort.conf only has these two lines:

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies timeout 180

What will it do when it gets to a host in the attribute table that is a linux machine or a Cisco IOS? Will the attribute file basically only be good for the OS's that are the "first" category? Meaning that I'm really only using the attribute table to look at the hosts that are running Windows, MacOS, or HP-UX?

I know I can specify more "policies" in the snort.conf but, I have to bind IP's to that policy. Which can be time consuming when machines are constantly being added and removed.


Andy Berryman


This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100429/8f441077/attachment.html>

More information about the Snort-users mailing list