[Snort-users] Metadata field in rules to identify target?

Matt Watchinski mwatchinski at ...1935...
Fri Feb 19 16:51:05 EST 2010


You can also use the metadata keyword in the snort-rule if you want.  Its a
free text field.

 metadata:SOME KEY, SOME VALUE;

Cheers,
-matt

On Fri, Feb 19, 2010 at 4:27 PM, Joel Esler <jesler at ...1935...> wrote:

> You could use the msg field to give a more specific indicator as to
> thr purpose of the rule.
>
> "Exploit for IIS inbound".  For example.
>
> --
> Joel Esler
> 302-223-5974
> Sent from my iPhone
>
> On Feb 19, 2010, at 3:04 PM, Williams Jon <WilliamsJonathan at ...2134...
>  > wrote:
>
> > While I was discussing snort rules with some friends, I got to
> > thinking: would it be possible to add a metadata field to a snort
> > rule that would allow me to identify which end of the conversation
> > is the actual target of the activity (i.e. the source or destination
> > IP address)?  The reason this comes up is that I’ll sometimes need t
> > o write rules where the source of the packet is actually the target
> > of the attack, for example looking for a response that indicates tha
> > t an attack succeeded.  Much of the time, analysis tools presume tha
> > t the source of the packet is the source of the attack, and in this
> > case, it’s obviously not the case.
> >
> >
> >
> > With such a beast in place, I could focus on alerts/attacker,
> > attackers/victim, etc. rather than the more mundane src/dst notation.
> >
> >
> >
> > Thoughts?
> >
> >
> >
> > Jon
> >
> >
> >
> > ------------------------------------
> >
> > Data is the pollution of the information age. -- Bruce Schneier
> >
> >
> >
> > ---
> > ---
> > ---
> > ---------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100219/a6b834ff/attachment.html>


More information about the Snort-users mailing list