[Snort-users] Snort Host Attribute table

JJ Cummings cummingsj at ...11827...
Tue Mar 23 12:00:18 EDT 2010


One of the following outputs (depending on HUP, Init.. etc).. this was taken
from the email chain about this yesterday.

JJC

1:
Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts

2:
Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread
Starting...
Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Started,
thread 3059501968 (21699)

3:
Mar 22 16:27:01 SNORT2 snort[19778]:
===============================================================================
Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats:
Mar 22 16:27:01 SNORT2 snort[19778]:     Number Entries: 113
Mar 22 16:27:01 SNORT2 snort[19778]:     Table Reloaded: 0
Mar 22 16:27:01 SNORT2 snort[19778]:
===============================================================================

On Tue, Mar 23, 2010 at 9:56 AM, Andy Berryman <aberryman at ...14758...> wrote:

>  I have an attribute table that was created with the help of Hooger.
> <--great program btw
>
>
>
> My question is, now that snort's loading the file. How do I know it's
> working?
>
>
>
> I see it loading it in my syslog, but not sure if there is anything I can
> check to make sure it's doing what it's supposed to be doing.
>
> Also, what does the below output tell me "fpBuildServicePortGroups"
>
>
>
> Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread
> Starting...
>
> Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread Started,
> thread 3067956416 (4648)
>
> Mar 23 15:42:26 (none) snort[4648]: Checking PID path...
>
> Mar 23 15:42:26 (none) snort[4648]: PID path stat checked out ok, PID path
> set to /var/run/
>
> Mar 23 15:42:26 (none) snort[4648]: Writing PID "4648" to file
> "/var/run//snort_eth1.pid"
>
> Mar 23 15:42:26 (none) snort[4648]: Decoding Ethernet on interface eth1
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=24 as service=x11
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=28 as service=ldap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=74 as service=ident
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=91 as service=rtsp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=90 as service=ssl
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=7 as service=telnet
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=17 as service=finger
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=6 as service=ftp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=57 as service=font-service
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=95 as service=ldp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=11 as service=netbios-dgm
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=8 as service=smtp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=21 as service=pop3
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=14 as service=nntp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=92 as service=kerberos
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=18 as service=imap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=52 as service=mysql
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=5 as service=http
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=52 as service=mysql
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=91 as service=rtsp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=18 as service=imap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=8 as service=smtp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=6 as service=ftp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=24 as service=x11
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=7 as service=telnet
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=28 as service=ldap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=5 as service=http
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=74 as service=ident
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=94 as service=ircd
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=90 as service=ssl
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=21 as service=pop3
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=14 as service=nntp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=23 as service=tftp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=11 as service=netbios-dgm
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=92 as service=kerberos
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=96 as service=radius
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=93 as service=ntp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=91 as service=rtsp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=93 as service=ntp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=11 as service=netbios-dgm
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=96 as service=radius
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
>
>
> Thanks,
>
> Andy Berryman
>
>
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100323/9a5e9a83/attachment.html>


More information about the Snort-users mailing list