[Snort-users] Snort Host Attribute table

Jason Wallace jason.r.wallace at ...11827...
Thu Mar 25 12:29:51 EDT 2010


Any input on the questions below would be appreciated.

Thx,
Wally

On Wed, Mar 24, 2010 at 2:11 PM, Jason Wallace
<jason.r.wallace at ...11827...> wrote:
> Since we are on the topic I also have a couple of questions about the
> host attribute table.
>
> 1) I know that it plays into frag3, stream5, http_inspect, and rules.
> But does it also have an affect on?:
>
> ftp_telnet
> ftp_telnet_protocol
> smtp
> ssh
> dcerpc2
> dcerpc2_server
> dns
> ssl
>
> I assume it would at least affect the "ports" option of these.
>
> 2) I suspect, now that we have hogger to help out, more people will be
> migrating to using the host attribute table. Right now I have a pretty
> complicated snort.conf to do what the host attribute table would do.
> For those migrating, does it make sense to simplify our detailed
> preprocessor setups to just match the most common hosts and let the
> the table handle the rest?
>
> 3) Kind of the same question as #2 but in relation to "var"'s. Since
> the table would have the IP and ports for these servers/services, does
> the host attribute table make the following pointless to define?
>
> var DNS_SERVERS
> var SMTP_SERVERS
> var HTTP_SERVERS
> var SQL_SERVERS
> var TELNET_SERVERS
> var FTP_SERVERS
> var SNMP_SERVERS
> portvar HTTP_PORTS
> portvar ORACLE_PORTS
> portvar FTP_PORTS
>
> I know without the host attribute table it is a good idea to
> specifically define the "*_SERVERS" vars to cut down on what is
> inspected, but with a host attribute table could you just set those to
> $HOME_NET and be done with them?
>
>
> Thx,
> Wally
>
> On Wed, Mar 24, 2010 at 11:41 AM, Alex Tatistcheff
> <alex.tatistcheff at ...11827...> wrote:
>> Well, one way is you could attend the Snort 360 class offered by
>> Sourcefire!  Ok, as one of the instructors I might be a bit biased....  ;-)
>>
>> Seriously though, what we do in class is load the attribute table then
>> demonstrate with some sample Snort rules using the metadata keyword how
>> Snort now alerts for HTTP based rules on hosts which are identified in the
>> XML file as serving HTTP on a given port even though the rule does not
>> include that port.
>>
>> For example, you have a snort rule with the destination port of 80 and
>> "metadata: service http;"   Now, if you have a host which is running - say
>> webmin offering HTTP on port 10000.  You identify that in the attribute
>> table file.  The snort rule will now be evaluated for the traffic destined
>> for port 10000 on that host.  Yet it will not be processed for other hosts
>> which are not identified in the XML file as listening for HTTP on port
>> 10000.
>>
>> You can write some quick sample rules to evaluate the behavior of your Snort
>> installation to ensure it's working as advertised.
>>
>> Alex Tatistcheff
>> alext at ...492...
>>
>> The most terrifying words in the English language are, "I'm from the
>> government and I'm here to help." -Ronald Reagan
>>
>>
>>
>>
>> On Tue, Mar 23, 2010 at 10:25 AM, Andy Berryman <aberryman at ...14758...>
>> wrote:
>>>
>>> I understand that it's loading the table. I was just asking if there is a
>>> way to check AFTER it was loaded, to see if it was working. I guess no news
>>> (errors) is good news?
>>>
>>>
>>>
>>> I was also wondering what the lines meant directly below it? Do they
>>> pertain to the XML files being loaded? I've never seen them until I added
>>> the attribute table to the snort.conf
>>>
>>>
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=24 as service=x11
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=12 as service=netbios-ns
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=28 as service=ldap
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Andy
>>>
>>>
>>>
>>> From: jcummings at ...1935... [mailto:jcummings at ...1935...] On Behalf
>>> Of JJ Cummings
>>> Sent: Tuesday, March 23, 2010 11:00 AM
>>> To: Andy Berryman
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Snort Host Attribute table
>>>
>>>
>>>
>>> One of the following outputs (depending on HUP, Init.. etc).. this was
>>> taken from the email chain about this yesterday.
>>>
>>>
>>>
>>> JJC
>>>
>>>
>>>
>>> 1:
>>> Mar 22 16:38:46 SNORT2 snort[21698]: Attribute Table Loaded with 113 hosts
>>>
>>> 2:
>>> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread
>>> Starting...
>>> Mar 22 16:38:49 SNORT2 snort[21699]: Attribute Table Reload Thread
>>> Started, thread 3059501968 (21699)
>>>
>>> 3:
>>> Mar 22 16:27:01 SNORT2 snort[19778]:
>>> ===============================================================================
>>> Mar 22 16:27:01 SNORT2 snort[19778]: Attribute Table Stats:
>>> Mar 22 16:27:01 SNORT2 snort[19778]: Number Entries: 113
>>> Mar 22 16:27:01 SNORT2 snort[19778]: Table Reloaded: 0
>>> Mar 22 16:27:01 SNORT2 snort[19778]:
>>> ===============================================================================
>>>
>>> On Tue, Mar 23, 2010 at 9:56 AM, Andy Berryman <aberryman at ...14758...>
>>> wrote:
>>>
>>> I have an attribute table that was created with the help of Hooger.
>>> <--great program btw
>>>
>>> My question is, now that snort's loading the file. How do I know it's
>>> working?
>>>
>>> I see it loading it in my syslog, but not sure if there is anything I can
>>> check to make sure it's doing what it's supposed to be doing.
>>>
>>> Also, what does the below output tell me "fpBuildServicePortGroups"
>>>
>>> Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread
>>> Starting...
>>>
>>> Mar 23 15:42:26 (none) snort[4648]: Attribute Table Reload Thread Started,
>>> thread 3067956416 (4648)
>>>
>>> Mar 23 15:42:26 (none) snort[4648]: Checking PID path...
>>>
>>> Mar 23 15:42:26 (none) snort[4648]: PID path stat checked out ok, PID path
>>> set to /var/run/
>>>
>>> Mar 23 15:42:26 (none) snort[4648]: Writing PID "4648" to file
>>> "/var/run//snort_eth1.pid"
>>>
>>> Mar 23 15:42:26 (none) snort[4648]: Decoding Ethernet on interface eth1
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=24 as service=x11
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=12 as service=netbios-ns
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=28 as service=ldap
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=74 as service=ident
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=91 as service=rtsp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=13 as service=netbios-ssn
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=90 as service=ssl
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=7 as service=telnet
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=86 as service=sunrpc
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=10 as service=dcerpc
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=17 as service=finger
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=6 as service=ftp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=57 as service=font-service
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=95 as service=ldp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=11 as service=netbios-dgm
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=8 as service=smtp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=21 as service=pop3
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=14 as service=nntp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=92 as service=kerberos
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=22 as service=snmp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=18 as service=imap
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=15 as service=dns
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=52 as service=mysql
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=5 as service=http
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=52 as service=mysql
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=10 as service=dcerpc
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=13 as service=netbios-ssn
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=91 as service=rtsp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=18 as service=imap
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=8 as service=smtp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=12 as service=netbios-ns
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=6 as service=ftp
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=15 as service=dns
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=24 as service=x11
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=7 as service=telnet
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=28 as service=ldap
>>>
>>> Mar 23 15:42:35 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=22 as service=snmp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=5 as service=http
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=74 as service=ident
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=86 as service=sunrpc
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=94 as service=ircd
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=90 as service=ssl
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=21 as service=pop3
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=14 as service=nntp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=10 as service=dcerpc
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=23 as service=tftp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=11 as service=netbios-dgm
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=12 as service=netbios-ns
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=15 as service=dns
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=92 as service=kerberos
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=22 as service=snmp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=13 as service=netbios-ssn
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=96 as service=radius
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=86 as service=sunrpc
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=93 as service=ntp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=10 as service=dcerpc
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=91 as service=rtsp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=93 as service=ntp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=11 as service=netbios-dgm
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=12 as service=netbios-ns
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=13 as service=netbios-ssn
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=22 as service=snmp
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=96 as service=radius
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=15 as service=dns
>>>
>>> Mar 23 15:42:36 (none) snort[4648]: fpBuildServicePortGroups: adding
>>> protocol-ordinal=86 as service=sunrpc
>>>
>>> Thanks,
>>>
>>> Andy Berryman
>>>
>>> ________________________________
>>>
>>> This message from Cymtec Systems, Inc. contains confidential information
>>> and is solely for the use of the recipient(s) named above. If you are not
>>> the intended recipient or an agent responsible for delivering it to the
>>> intended recipient, you are hereby notified that you have received this
>>> message in error and that any review, disclosure, copying, distribution or
>>> use of the contents of this message is strictly prohibited. If you have
>>> received this message in error, please destroy it immediately and notify
>>> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>>>
>>> ________________________________
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>> --
>>>
>>> ________________________________
>>> This message from Cymtec Systems, Inc. contains confidential information
>>> and is solely for the use of the recipient(s) named above. If you are not
>>> the intended recipient or an agent responsible for delivering it to the
>>> intended recipient, you are hereby notified that you have received this
>>> message in error and that any review, disclosure, copying, distribution or
>>> use of the contents of this message is strictly prohibited. If you have
>>> received this message in error, please destroy it immediately and notify
>>> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>>> ________________________________
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list