[Snort-users] Understanding MetaData

Rafael Leiva-Ochoa spawn at ...17369...
Sun Dec 6 12:53:31 EST 2015


Any takers...

On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn at ...17369...> wrote:

> Hi All,
>
>     I am trying to understand how "metadata: service http"  and other
> service types work.
>
> I tried reading these documents:
>
> http://manual.snort.org/node323.html
>
> and
>
> http://manual.snort.org/node22.html#targetbased
>
> But, I am still a bit confused..: (
>
> As I read, the document, it stated the following: "The service Metadata
> Key is only meaningful when a Host Attribute Table is provided".
>
> The confusing part is a lot of Talos signatures us "metadata:
> service http", but there is no Host Attribute Tables created for that by
> default when I installed snort. How are those signatures going to work
> without it?
>
> On the snort.conf there is no setting to tell snort to load the Attributes
> XML's. How is that done?
>
> I also tried creating a custom rule on the local.rules file to better my
> understanding of "metadata service" using "ssh",  but it does not fire when
> I use it. It only works when I remove the "service ssh".
>
> here is the rule:
>
> alert tcp $HOME_NET any -> $HOME_NET 22 ( \
>
>         msg:"SSH Brute Force Attempt"; \
>
>         flow:established,to_server; \
>
>         content:"SSH"; nocase; offset:0; depth:4; \
>
>         detection_filter:track by_src, count 3, seconds 60; \
>
>         sid:1000001; metadata:service ssh; rev:1;)
> My understanding of metadata is that it is used to detect that someone is
> using a service not based on the port, but based on what the protocol is
> exhibiting. From example, if I ssh to a server using port 4598, which is
> not a standard ssh port, the "metadata service ssh" will be able to see it
> is ssh even though I had port 22 on the signature for the destination port.
>
> Any input and answers would be great.
>
> Thanks,
>
> Rafael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151206/38507c69/attachment.html>


More information about the Snort-users mailing list