[Snort-users] Understanding MetaData

paul meding medingtac at ...11827...
Sun Dec 6 13:47:08 EST 2015

Not snort answer per se but metadata is to bring context to network
traffic.  Magic numbers can identify applications, filetypes, etc based
upon the offsets that are used in their implementations.  in this way if
someone renames for example a .zip file as a .abc to bypass filtering,
metadata creation will still identify it as a .zip file due to the raw
packets.  same way that if someone sends http traffic across a non http
port ...it is still identified as http just over non standard port.  Snort
can create and act off metadata as well as some other network free tools
like netminer and RSA's investigator that you c an download and further see
how metadata can make your analysis much more effective and make you a
faster analyst.

meta can be used to identify filetypes, applications, geo, match domain
malware lists, protocols, flags, payload statistics, so many things it
would be impossible to list them all.  In snort it's used so even if
traffic isnt on the typical port used by ssh for example, its still
identified as such so it can't be fooled by our wonderful advanced
adversaries we are looking to thwart.


On Sun, Dec 6, 2015 at 11:53 AM, Rafael Leiva-Ochoa <spawn at ...17369...>

> Any takers...
> On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn at ...17369...> wrote:
>> Hi All,
>>     I am trying to understand how "metadata: service http"  and other
>> service types work.
>> I tried reading these documents:
>> http://manual.snort.org/node323.html
>> and
>> http://manual.snort.org/node22.html#targetbased
>> But, I am still a bit confused..: (
>> As I read, the document, it stated the following: "The service Metadata
>> Key is only meaningful when a Host Attribute Table is provided".
>> The confusing part is a lot of Talos signatures us "metadata:
>> service http", but there is no Host Attribute Tables created for that by
>> default when I installed snort. How are those signatures going to work
>> without it?
>> On the snort.conf there is no setting to tell snort to load the
>> Attributes XML's. How is that done?
>> I also tried creating a custom rule on the local.rules file to better my
>> understanding of "metadata service" using "ssh",  but it does not fire when
>> I use it. It only works when I remove the "service ssh".
>> here is the rule:
>> alert tcp $HOME_NET any -> $HOME_NET 22 ( \
>>         msg:"SSH Brute Force Attempt"; \
>>         flow:established,to_server; \
>>         content:"SSH"; nocase; offset:0; depth:4; \
>>         detection_filter:track by_src, count 3, seconds 60; \
>>         sid:1000001; metadata:service ssh; rev:1;)
>> My understanding of metadata is that it is used to detect that someone is
>> using a service not based on the port, but based on what the protocol is
>> exhibiting. From example, if I ssh to a server using port 4598, which is
>> not a standard ssh port, the "metadata service ssh" will be able to see it
>> is ssh even though I had port 22 on the signature for the destination port.
>> Any input and answers would be great.
>> Thanks,
>> Rafael
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151206/4a2b04cf/attachment.html>

More information about the Snort-users mailing list