[Snort-users] host attribute table - feature request

Joel Esler joel.esler at ...14399...
Mon Mar 22 17:14:15 EDT 2010


Glad that got clarified.  I don't have a system to check right now (rebuilding).  Thanks.

J

On Mar 22, 2010, at 4:52 PM, Crook, Parker wrote:

> Yeah...
> I was grepping with the wrong info, it's there in 2.8.5.3, depending on whether Snort is started, reloaded, or restarted, in one of the following formats:
> 
> 1:
> Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts
> 
> 2:
> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Starting...
> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Started, thread 3059501968 (21699)
> 
> 3:
> Mar 22 16:27:01 SNORT2 snort[19778]: ===============================================================================
> Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats:
> Mar 22 16:27:01 SNORT2 snort[19778]:     Number Entries: 113
> Mar 22 16:27:01 SNORT2 snort[19778]:     Table Reloaded: 0
> Mar 22 16:27:01 SNORT2 snort[19778]: ===============================================================================
> 
> Sorry for causing trouble,
> Parker
> 
> -----Original Message-----
> From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
> Sent: Monday, March 22, 2010 4:45 PM
> To: Crook, Parker
> Cc: Matt Olney; snort-devel-request at lists.sourceforge.net; snort-users at lists.sourceforge.net List
> Subject: Re: [Snort-users] host attribute table - feature request
> 
> If you're not seeing those stats, make sure you compiled Snort with
> --enable-targetbased.
> 
> -Ryan
> 
> On Mon, Mar 22, 2010 at 4:33 PM, Crook, Parker <Parker_Crook at ...14786...> wrote:
>> Matt,
>> 
>> 
>> 
>> No that's great -- I thought I remembered seeing something like that in my
>> lab at home, but thought I was losing it when I couldn't get it here in the
>> production environment (it was a late night coding session after all).
>> 
>> 
>> 
>> Thanks again,
>> 
>> Parker
>> 
>> 
>> 
>> ________________________________
>> 
>> From: Matt Olney [mailto:molney at ...1935...]
>> Sent: Monday, March 22, 2010 4:27 PM
>> To: Crook, Parker
>> Cc: Joel Esler; snort-devel-request at lists.sourceforge.net;
>> snort-users at lists.sourceforge.net List
>> 
>> Subject: Re: [Snort-users] host attribute table - feature request
>> 
>> 
>> 
>> In 2.8.6rc1, at least I get the following:
>> 
>> 
>> 
>> ===============================================================================
>> 
>> Attribute Table Stats:
>> 
>>    Number Entries: 1
>> 
>>    Table Reloaded: 0
>> 
>> ===============================================================================
>> 
>> 
>> 
>> In the Snort output.  Is that sufficient?  I'll put a feature request bug
>> in, but I'm just making sure this isn't what you are looking for,
>> 
>> Matt
>> 
>> 
>> 
>> On Mon, Mar 22, 2010 at 4:15 PM, Crook, Parker <Parker_Crook at ...14786...>
>> wrote:
>> 
>> Thanks Joel, I appreciate it.
>> 
>> 
>> 
>> -Parker
>> 
>> ________________________________
>> 
>> From: Joel Esler [mailto:joel.esler at ...14399...]
>> Sent: Monday, March 22, 2010 2:55 PM
>> To: Crook, Parker
>> Cc: snort-users at lists.sourceforge.net List;
>> snort-devel-request at lists.sourceforge.net
>> 
>> Subject: Re: [Snort-users] host attribute table - feature request
>> 
>> 
>> 
>> Parker,
>> 
>> 
>> 
>> I've cc'ed the snort-devel list.  I'm not aware if the developers are on the
>> snort-users list.
>> 
>> 
>> 
>> J
>> 
>> 
>> 
>> On Mar 22, 2010, at 1:35 PM, Crook, Parker wrote:
>> 
>> 
>> 
>> After speaking with Andy about getting hogger to create the host attribute
>> table, he asked how he would know if Snort successfully slurped up the
>> attribute file.  I did some checking on my installation and went through the
>> logs and noticed there is not any sort of indication of whether or not Snort
>> is using a host attribute table.
>> 
>> 
>> 
>> Would it be possible to add this feature so that we can receive confirmation
>> that we are or are not using the host attribute feature? (similar to the
>> message on PCAP frames)
>> 
>> 
>> 
>> --
>> Joel Esler
>> http://blog.joelesler.net
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
http://blog.joelesler.net






More information about the Snort-users mailing list