[Snort-users] Hogger 0.1.3 released

Joel Esler joel.esler at ...14399...
Tue Mar 23 14:18:55 EDT 2010


Max number of hosts in the attribute table is 512k. Default for Snort  
is 10000.

--
Joel Esler
Sent from my iPhone

On Mar 23, 2010, at 2:16 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14596.... 
 > wrote:

> Thanks, that makes sense.  How about the size of the attribute  
> table?  If I scan every host in my environment the file may get  
> quite large.  What are the memory requirements of the host attribute  
> table?
>
>
>
> From: Crook, Parker [mailto:Parker_Crook at ...14786...]
> Sent: Tuesday, March 23, 2010 10:12 AM
> To: Jefferson, Shawn; Joel Esler; Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Hogger 0.1.3 released
>
>
>
> No downside really… for hosts that are not specified in the xml, the 
> y revert to the default policy for each respective preprocessor, e.g.:
>
> preprocessor frag3_engine: policy windows detect_anomalies  
> overlap_limit 10
>
>
>
> I may have an environment that is mostly made up of windows boxes,  
> but I have scanned everything else and those hosts are represented  
> in the xml, so I changed my base policy to treat all other hosts as  
> windows boxes (of course you can substitute this for what is good  
> for your environment.
>
>
>
> As far as the rules side goes… since your xml can detail services on 
>  nonstandard ports, say you have a box that is running http on port  
> 2000, and you have a rule with a header of:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
>
> but that rule contains “metadata:service http;”
>
> Snort will also inspect port 2000 traffic for that host as well  
> since it is defined as http traffic.
>
> Again, if an IP is not detailed in the attribute table, Snort will  
> process the rule as it normally would, ie, on port 80 traffic for  
> the host.
>
>
>
> I hope I wasn’t too terse and that makes sense, but I have to run to 
>  a meeting and had to cut it short.
>
> -Parker
>
> From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
> Sent: Tuesday, March 23, 2010 1:02 PM
> To: Joel Esler; Andy Berryman
> Cc: Crook, Parker; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Hogger 0.1.3 released
>
>
>
> Is there any downside to using it?  If the IP address is not in the  
> host attribute table will it still be monitored as per normal?
>
>
>
> From: Joel Esler [mailto:joel.esler at ...14399...]
> Sent: Tuesday, March 23, 2010 9:45 AM
> To: Andy Berryman
> Cc: Crook, Parker; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Hogger 0.1.3 released
>
>
>
> Glad to see people are using this.  It makes the set up of the  
> network as far as Snort sees it (preprocessors, rules, etc) much  
> much easier, and protects against much more.
>
>
>
> Joel
>
>
>
> On Mar 23, 2010, at 11:51 AM, Andy Berryman wrote:
>
>
>
> So, I have hogger running and it slurpped in my XML file and I see  
> it in the syslog that it loaded it. Thanks for the help!
>
>
>
> --
> Joel Esler
> http://blog.joelesler.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100323/cf805869/attachment.html>


More information about the Snort-users mailing list