[Snort-users] Building a host attribute table?

Russ Combs rcombs at ...1935...
Thu Oct 14 05:14:32 EDT 2010


On Wed, Oct 13, 2010 at 10:36 AM, Crook, Parker <Parker_Crook at ...14786...>wrote:

>    *From:* Andy Berryman [mailto:aberryman at ...14765...]
> *Sent:* Wednesday, October 13, 2010 10:00 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Building a host attribute table?
>
>
>
> Is it worth building a host attribute table when you only have the
> operating system? Basically, is it worth the hassle? Let’s say I only have
> the OS for about 100 machines on 3 class B subnets. Most of them are Windows
> XP, 2k8 or win7 boxes. There are about 20-30 that are SunOS, linux, or DRAC.
>
>
>
>
> If all you are using the HAT for is to define OS, then it’s probably easier
> to setup a new stream5, and frag3 policy and define the IPs there.
>
>
>
> My stream5 is setup like this.
>
>
>
> preprocessor stream5_global: max_tcp 1048576, memcap 1073741824, track_tcp
> yes, track_udp no
>
> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
> dont_store_large_packets, ports client 21 22 23 25 42 53 79 80 109 110 111
> 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301
> 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771
> 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636
> 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908
> 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
>
>
>
> So with that said, it seems like it’d be pointless to set it up for
> anything that’s a Windows machine, right?
>
>
>
> Depends on if you’re going to use the HAT to also define ports, services,
> applications… if you are running services on non-standard ports, I say by
> all means, add in the Windows boxes so that you get coverage via the
> metadata service tags in rules, otherwise you’re going to be missing a bit
> of data. (bit is relative here, in my environment, I would miss a lot).
>

The HAT can also be reloaded without restart.

>
>
> Thanks,
>
> Andy Berryman
>  ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101014/ec41a5f3/attachment.html>


More information about the Snort-users mailing list