[Snort-users] host attribute table - feature request

Matt Olney molney at ...1935...
Mon Mar 22 16:55:27 EDT 2010


No problem :)  I caught a doc bug while I was working this, so it has worked
out well.

On Mon, Mar 22, 2010 at 4:52 PM, Crook, Parker <Parker_Crook at ...14786...>wrote:

> Yeah...
> I was grepping with the wrong info, it's there in 2.8.5.3, depending on
> whether Snort is started, reloaded, or restarted, in one of the following
> formats:
>
> 1:
> Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts
>
> 2:
> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread
> Starting...
> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Started,
> thread 3059501968 (21699)
>
> 3:
> Mar 22 16:27:01 SNORT2 snort[19778]:
> ===============================================================================
> Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats:
> Mar 22 16:27:01 SNORT2 snort[19778]:     Number Entries: 113
> Mar 22 16:27:01 SNORT2 snort[19778]:     Table Reloaded: 0
> Mar 22 16:27:01 SNORT2 snort[19778]:
> ===============================================================================
>
> Sorry for causing trouble,
> Parker
>
> -----Original Message-----
> From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
> Sent: Monday, March 22, 2010 4:45 PM
> To: Crook, Parker
> Cc: Matt Olney; snort-devel-request at lists.sourceforge.net;
> snort-users at lists.sourceforge.net List
> Subject: Re: [Snort-users] host attribute table - feature request
>
> If you're not seeing those stats, make sure you compiled Snort with
> --enable-targetbased.
>
> -Ryan
>
> On Mon, Mar 22, 2010 at 4:33 PM, Crook, Parker <Parker_Crook at ...14786...>
> wrote:
> > Matt,
> >
> >
> >
> > No that's great -- I thought I remembered seeing something like that in
> my
> > lab at home, but thought I was losing it when I couldn't get it here in
> the
> > production environment (it was a late night coding session after all).
> >
> >
> >
> > Thanks again,
> >
> > Parker
> >
> >
> >
> > ________________________________
> >
> > From: Matt Olney [mailto:molney at ...1935...]
> > Sent: Monday, March 22, 2010 4:27 PM
> > To: Crook, Parker
> > Cc: Joel Esler; snort-devel-request at lists.sourceforge.net;
> > snort-users at lists.sourceforge.net List
> >
> > Subject: Re: [Snort-users] host attribute table - feature request
> >
> >
> >
> > In 2.8.6rc1, at least I get the following:
> >
> >
> >
> >
> ===============================================================================
> >
> > Attribute Table Stats:
> >
> >     Number Entries: 1
> >
> >     Table Reloaded: 0
> >
> >
> ===============================================================================
> >
> >
> >
> > In the Snort output.  Is that sufficient?  I'll put a feature request bug
> > in, but I'm just making sure this isn't what you are looking for,
> >
> > Matt
> >
> >
> >
> > On Mon, Mar 22, 2010 at 4:15 PM, Crook, Parker <Parker_Crook at ...14786...>
> > wrote:
> >
> > Thanks Joel, I appreciate it.
> >
> >
> >
> > -Parker
> >
> > ________________________________
> >
> > From: Joel Esler [mailto:joel.esler at ...14399...]
> > Sent: Monday, March 22, 2010 2:55 PM
> > To: Crook, Parker
> > Cc: snort-users at lists.sourceforge.net List;
> > snort-devel-request at lists.sourceforge.net
> >
> > Subject: Re: [Snort-users] host attribute table - feature request
> >
> >
> >
> > Parker,
> >
> >
> >
> > I've cc'ed the snort-devel list.  I'm not aware if the developers are on
> the
> > snort-users list.
> >
> >
> >
> > J
> >
> >
> >
> > On Mar 22, 2010, at 1:35 PM, Crook, Parker wrote:
> >
> >
> >
> > After speaking with Andy about getting hogger to create the host
> attribute
> > table, he asked how he would know if Snort successfully slurped up the
> > attribute file.  I did some checking on my installation and went through
> the
> > logs and noticed there is not any sort of indication of whether or not
> Snort
> > is using a host attribute table.
> >
> >
> >
> > Would it be possible to add this feature so that we can receive
> confirmation
> > that we are or are not using the host attribute feature? (similar to the
> > message on PCAP frames)
> >
> >
> >
> > --
> > Joel Esler
> > http://blog.joelesler.net
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100322/f0ff38b1/attachment.html>


More information about the Snort-users mailing list