[Snort-users] Snort Host Attribute table

Alex Tatistcheff alex.tatistcheff at ...11827...
Wed Mar 24 11:41:08 EDT 2010


Well, one way is you could attend the Snort 360 class offered by
Sourcefire!  Ok, as one of the instructors I might be a bit biased....  ;-)

Seriously though, what we do in class is load the attribute table then
demonstrate with some sample Snort rules using the metadata keyword how
Snort now alerts for HTTP based rules on hosts which are identified in the
XML file as serving HTTP on a given port even though the rule does not
include that port.

For example, you have a snort rule with the destination port of 80 and
"metadata: service http;"   Now, if you have a host which is running - say
webmin offering HTTP on port 10000.  You identify that in the attribute
table file.  The snort rule will now be evaluated for the traffic destined
for port 10000 on that host.  Yet it will not be processed for other hosts
which are not identified in the XML file as listening for HTTP on port
10000.

You can write some quick sample rules to evaluate the behavior of your Snort
installation to ensure it's working as advertised.

Alex Tatistcheff
alext at ...492...

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan




On Tue, Mar 23, 2010 at 10:25 AM, Andy Berryman <aberryman at ...14758...>wrote:

>  I understand that it's loading the table. I was just asking if there is a
> way to check AFTER it was loaded, to see if it was working. I guess no news
> (errors) is good news?
>
>
>
> I was also wondering what the lines meant directly below it? Do they
> pertain to the XML files being loaded? I've never seen them until I added
> the attribute table to the snort.conf
>
>
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=24 as service=x11
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=28 as service=ldap
>
>
>
>
>
> Thanks,
>
> Andy
>
>
>
> *From:* jcummings at ...1935... [mailto:jcummings at ...1935...] *On
> Behalf Of *JJ Cummings
> *Sent:* Tuesday, March 23, 2010 11:00 AM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Snort Host Attribute table
>
>
>
> One of the following outputs (depending on HUP, Init.. etc).. this was
> taken from the email chain about this yesterday.
>
>
>
> JJC
>
>
>
> 1:
> Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts
>
> 2:
> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread
> Starting...
> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread Started,
> thread 3059501968 (21699)
>
> 3:
> Mar 22 16:27:01 SNORT2 snort[19778]:
> ===============================================================================
> Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats:
> Mar 22 16:27:01 SNORT2 snort[19778]: Number Entries: 113
> Mar 22 16:27:01 SNORT2 snort[19778]: Table Reloaded: 0
> Mar 22 16:27:01 SNORT2 snort[19778]:
> ===============================================================================
>
> On Tue, Mar 23, 2010 at 9:56 AM, Andy Berryman <aberryman at ...14758...>
> wrote:
>
> I have an attribute table that was created with the help of Hooger.
> <--great program btw
>
> My question is, now that snort's loading the file. How do I know it's
> working?
>
> I see it loading it in my syslog, but not sure if there is anything I can
> check to make sure it's doing what it's supposed to be doing.
>
> Also, what does the below output tell me "fpBuildServicePortGroups"
>
> Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread
> Starting...
>
> Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread Started,
> thread 3067956416 (4648)
>
> Mar 23 15:42:26 (none) snort[4648]: Checking PID path...
>
> Mar 23 15:42:26 (none) snort[4648]: PID path stat checked out ok, PID path
> set to /var/run/
>
> Mar 23 15:42:26 (none) snort[4648]: Writing PID "4648" to file
> "/var/run//snort_eth1.pid"
>
> Mar 23 15:42:26 (none) snort[4648]: Decoding Ethernet on interface eth1
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=24 as service=x11
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=28 as service=ldap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=74 as service=ident
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=91 as service=rtsp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=90 as service=ssl
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=7 as service=telnet
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=17 as service=finger
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=6 as service=ftp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=57 as service=font-service
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=95 as service=ldp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=11 as service=netbios-dgm
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=8 as service=smtp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=21 as service=pop3
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=14 as service=nntp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=92 as service=kerberos
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=18 as service=imap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=52 as service=mysql
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=5 as service=http
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=52 as service=mysql
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=91 as service=rtsp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=18 as service=imap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=8 as service=smtp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=6 as service=ftp
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=24 as service=x11
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=7 as service=telnet
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=28 as service=ldap
>
> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=5 as service=http
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=74 as service=ident
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=94 as service=ircd
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=90 as service=ssl
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=21 as service=pop3
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=14 as service=nntp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=23 as service=tftp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=11 as service=netbios-dgm
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=92 as service=kerberos
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=96 as service=radius
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=93 as service=ntp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=10 as service=dcerpc
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=91 as service=rtsp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=93 as service=ntp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=11 as service=netbios-dgm
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=12 as service=netbios-ns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=13 as service=netbios-ssn
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=22 as service=snmp
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=96 as service=radius
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=15 as service=dns
>
> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
> protocol-ordinal=86 as service=sunrpc
>
> Thanks,
>
> Andy Berryman
>  ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>   ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100324/23e8bb24/attachment.html>


More information about the Snort-users mailing list