[Snort-users] Snort Host Attribute table

Joel Esler joel.esler at ...14399...
Thu Mar 25 12:49:26 EDT 2010


On Mar 24, 2010, at 2:11 PM, Jason Wallace wrote:
> 1) I know that it plays into frag3, stream5, http_inspect, and rules.
> But does it also have an affect on?:
> 
> ftp_telnet
> ftp_telnet_protocol
> smtp
> ssh
> dcerpc2
> dcerpc2_server
> dns
> ssl
> 
> I assume it would at least affect the "ports" option of these.
> 

According to the 2.8.6 docs, it affects exactly what you put in your initial comment above (after the 1).  I don't see, according to documentation, that it affects other preprocessors.  I did not look at the code however.


> 2) I suspect, now that we have hogger to help out, more people will be
> migrating to using the host attribute table.

I hope so.

> Right now I have a pretty
> complicated snort.conf to do what the host attribute table would do.
> For those migrating, does it make sense to simplify our detailed
> preprocessor setups to just match the most common hosts and let the
> the table handle the rest?

Exactly.



> 
> 3) Kind of the same question as #2 but in relation to "var"'s. Since
> the table would have the IP and ports for these servers/services, does
> the host attribute table make the following pointless to define?
> 
> var DNS_SERVERS
> var SMTP_SERVERS
> var HTTP_SERVERS
> var SQL_SERVERS
> var TELNET_SERVERS
> var FTP_SERVERS
> var SNMP_SERVERS
> portvar HTTP_PORTS
> portvar ORACLE_PORTS
> portvar FTP_PORTS
> 
> I know without the host attribute table it is a good idea to
> specifically define the "*_SERVERS" vars to cut down on what is
> inspected, but with a host attribute table could you just set those to
> $HOME_NET and be done with them?


I would say yes, they are still important to configure.  However, since you have such a detailed Snort.conf, I would be interested in you testing both and letting us know your results.




--
Joel Esler
http://blog.joelesler.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100325/51ca7d99/attachment.html>


More information about the Snort-users mailing list