[Snort-users] Understanding MetaData

Rafael Leiva-Ochoa spawn at ...17369...
Fri Dec 4 21:21:53 EST 2015


Hi All,

    I am trying to understand how "metadata: service http"  and other
service types work.

I tried reading these documents:

http://manual.snort.org/node323.html

and

http://manual.snort.org/node22.html#targetbased

But, I am still a bit confused..: (

As I read, the document, it stated the following: "The service Metadata Key
is only meaningful when a Host Attribute Table is provided".

The confusing part is a lot of Talos signatures us "metadata:
service http", but there is no Host Attribute Tables created for that by
default when I installed snort. How are those signatures going to work
without it?

On the snort.conf there is no setting to tell snort to load the Attributes
XML's. How is that done?

I also tried creating a custom rule on the local.rules file to better my
understanding of "metadata service" using "ssh",  but it does not fire when
I use it. It only works when I remove the "service ssh".

here is the rule:

alert tcp $HOME_NET any -> $HOME_NET 22 ( \

        msg:"SSH Brute Force Attempt"; \

        flow:established,to_server; \

        content:"SSH"; nocase; offset:0; depth:4; \

        detection_filter:track by_src, count 3, seconds 60; \

        sid:1000001; metadata:service ssh; rev:1;)
My understanding of metadata is that it is used to detect that someone is
using a service not based on the port, but based on what the protocol is
exhibiting. From example, if I ssh to a server using port 4598, which is
not a standard ssh port, the "metadata service ssh" will be able to see it
is ssh even though I had port 22 on the signature for the destination port.

Any input and answers would be great.

Thanks,

Rafael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151204/e12c56d4/attachment.html>


More information about the Snort-users mailing list