[Snort-users] Snort Host Attribute table
joel.esler at ...14399...
Thu Mar 25 12:49:26 EDT 2010
On Mar 24, 2010, at 2:11 PM, Jason Wallace wrote:
> 1) I know that it plays into frag3, stream5, http_inspect, and rules.
> But does it also have an affect on?:
> I assume it would at least affect the "ports" option of these.
According to the 2.8.6 docs, it affects exactly what you put in your initial comment above (after the 1). I don't see, according to documentation, that it affects other preprocessors. I did not look at the code however.
> 2) I suspect, now that we have hogger to help out, more people will be
> migrating to using the host attribute table.
I hope so.
> Right now I have a pretty
> complicated snort.conf to do what the host attribute table would do.
> For those migrating, does it make sense to simplify our detailed
> preprocessor setups to just match the most common hosts and let the
> the table handle the rest?
> 3) Kind of the same question as #2 but in relation to "var"'s. Since
> the table would have the IP and ports for these servers/services, does
> the host attribute table make the following pointless to define?
> var DNS_SERVERS
> var SMTP_SERVERS
> var HTTP_SERVERS
> var SQL_SERVERS
> var TELNET_SERVERS
> var FTP_SERVERS
> var SNMP_SERVERS
> portvar HTTP_PORTS
> portvar ORACLE_PORTS
> portvar FTP_PORTS
> I know without the host attribute table it is a good idea to
> specifically define the "*_SERVERS" vars to cut down on what is
> inspected, but with a host attribute table could you just set those to
> $HOME_NET and be done with them?
I would say yes, they are still important to configure. However, since you have such a detailed Snort.conf, I would be interested in you testing both and letting us know your results.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users