[Snort-users] Hogger 0.1.3 released

Crook, Parker Parker_Crook at ...14786...
Tue Mar 23 13:12:11 EDT 2010


No downside really... for hosts that are not specified in the xml, they revert to the default policy for each respective preprocessor, e.g.:

preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10



I may have an environment that is mostly made up of windows boxes, but I have scanned everything else and those hosts are represented in the xml, so I changed my base policy to treat all other hosts as windows boxes (of course you can substitute this for what is good for your environment.



As far as the rules side goes... since your xml can detail services on nonstandard ports, say you have a box that is running http on port 2000, and you have a rule with a header of:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80

but that rule contains "metadata:service http;"

Snort will also inspect port 2000 traffic for that host as well since it is defined as http traffic.

Again, if an IP is not detailed in the attribute table, Snort will process the rule as it normally would, ie, on port 80 traffic for the host.



I hope I wasn't too terse and that makes sense, but I have to run to a meeting and had to cut it short.

-Parker

  _____

From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
Sent: Tuesday, March 23, 2010 1:02 PM
To: Joel Esler; Andy Berryman
Cc: Crook, Parker; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Hogger 0.1.3 released



Is there any downside to using it?  If the IP address is not in the host attribute table will it still be monitored as per normal?



  _____

From: Joel Esler [mailto:joel.esler at ...14399...]
Sent: Tuesday, March 23, 2010 9:45 AM
To: Andy Berryman
Cc: Crook, Parker; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Hogger 0.1.3 released



Glad to see people are using this.  It makes the set up of the network as far as Snort sees it (preprocessors, rules, etc) much much easier, and protects against much more.



Joel



On Mar 23, 2010, at 11:51 AM, Andy Berryman wrote:



So, I have hogger running and it slurpped in my XML file and I see it in the syslog that it loaded it. Thanks for the help!



--
Joel Esler
http://blog.joelesler.net





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100323/e4b84796/attachment.html>


More information about the Snort-users mailing list