[Snort-users] Understanding MetaData
spawn at ...17369...
Fri Dec 4 21:21:53 EST 2015
I am trying to understand how "metadata: service http" and other
service types work.
I tried reading these documents:
But, I am still a bit confused..: (
As I read, the document, it stated the following: "The service Metadata Key
is only meaningful when a Host Attribute Table is provided".
The confusing part is a lot of Talos signatures us "metadata:
service http", but there is no Host Attribute Tables created for that by
default when I installed snort. How are those signatures going to work
On the snort.conf there is no setting to tell snort to load the Attributes
XML's. How is that done?
I also tried creating a custom rule on the local.rules file to better my
understanding of "metadata service" using "ssh", but it does not fire when
I use it. It only works when I remove the "service ssh".
here is the rule:
alert tcp $HOME_NET any -> $HOME_NET 22 ( \
msg:"SSH Brute Force Attempt"; \
content:"SSH"; nocase; offset:0; depth:4; \
detection_filter:track by_src, count 3, seconds 60; \
sid:1000001; metadata:service ssh; rev:1;)
My understanding of metadata is that it is used to detect that someone is
using a service not based on the port, but based on what the protocol is
exhibiting. From example, if I ssh to a server using port 4598, which is
not a standard ssh port, the "metadata service ssh" will be able to see it
is ssh even though I had port 22 on the signature for the destination port.
Any input and answers would be great.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users