[Snort-users] Use of Host Attribute table, Frag3, and Stream 5 question

Andy Berryman aberryman at ...14765...
Thu Apr 29 14:46:37 EDT 2010


Gotcha. So it uses the host attribute table and configures the policies
that way. Then if a machine is seen that isn't in the table, it uses the
policy that's in the snort.conf file, if I'm understanding correctly. 

 

From: Crook, Parker [mailto:Parker_Crook at ...14786...] 
Sent: Thursday, April 29, 2010 1:43 PM
To: Andy Berryman; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Use of Host Attribute table, Frag3, and
Stream 5 question

 

Andy,

 

The "policy first" portion of the frag3 engine tells snort the default
frag3 reassembly behavior - to reassemble all undefined hosts according
to "first" rules in this case (MacOS, and BSD follow this interpretation
of the RFCs for fragmented packet reassembly).  

 

If hosts are defined in a host attribute table, then packets will be
assembled according to their definition in that table.

 

The way I run my frag3 (& stream5) default behavior, is to set the
default policy to whatever systems make up the majority of my network,
that way if I miss a host in the host attribute table, I have a higher
percentage chance of correct packet and stream reassembly.  IE, if 80%
of my hosts are running Windows 2003+ servers, I would set :

preprocessor frag3_engine: policy Windows detect anomalies timeout 180

&

preprocessor stream5_engine: policy windows2003,
use_static_footprint_sizes

 

I hope that covers all that you asked about, 

Parker

 

________________________________

From: Andy Berryman [mailto:aberryman at ...14765...] 
Sent: Thursday, April 29, 2010 1:25 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Use of Host Attribute table, Frag3, and Stream 5
question

 

If I'm using a host attribute table that I generated with nmap and
Hogger, but my snort.conf only has these two lines:

 

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies timeout 180

 

What will it do when it gets to a host in the attribute table that is a
linux machine or a Cisco IOS? Will the attribute file basically only be
good for the OS's that are the "first" category? Meaning that I'm really
only using the attribute table to look at the hosts that are running
Windows, MacOS, or HP-UX? 

 

I know I can specify more "policies" in the snort.conf but, I have to
bind IP's to that policy. Which can be time consuming when machines are
constantly being added and removed. 

 

 

Thanks,

Andy Berryman

 

________________________________

This message from Cymtec Systems, Inc. contains confidential information
and is solely for the use of the recipient(s) named above. If you are
not the intended recipient or an agent responsible for delivering it to
the intended recipient, you are hereby notified that you have received
this message in error and that any review, disclosure, copying,
distribution or use of the contents of this message is strictly
prohibited. If you have received this message in error, please destroy
it immediately and notify Cymtec Systems, Inc. by telephone at
+1.314.993.8700 or by return e-mail.

________________________________

 


###############################################################################
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.                    
###############################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100429/1ad0f4ce/attachment.html>


More information about the Snort-users mailing list