[Snort-users] Understanding MetaData

Rafael Leiva-Ochoa spawn at ...17369...
Sun Dec 6 13:57:54 EST 2015


Thanks Paul for the explanation. I guess what confuses me the most is that
when I read the documentation, it's stated that I needed a host attribute
table in order for the meta-data service to work. Is that still the case?
The reason I ask is because I see a lot of signatures that have meta-data
service, but there is no host attribute table that is created by snort when
I compiled it. I only see an example attribute table that can be used in
order to make custom attribute tables.

 I also don't understand how snort knows where the host attributes
tables are if there's nothing in the configuration in the
snort.conf that points to it.

I want to create custom signatures that can use metadata service in order
to better accurately identify applications not based on port, but based on
their behavior characteristics as you explained, but it doesn't seem to be
working when I use Medela service on custom signatures.

On Sunday, December 6, 2015, paul meding <medingtac at ...11827...> wrote:

> Not snort answer per se but metadata is to bring context to network
> traffic.  Magic numbers can identify applications, filetypes, etc based
> upon the offsets that are used in their implementations.  in this way if
> someone renames for example a .zip file as a .abc to bypass filtering,
> metadata creation will still identify it as a .zip file due to the raw
> packets.  same way that if someone sends http traffic across a non http
> port ...it is still identified as http just over non standard port.  Snort
> can create and act off metadata as well as some other network free tools
> like netminer and RSA's investigator that you c an download and further see
> how metadata can make your analysis much more effective and make you a
> faster analyst.
>
> meta can be used to identify filetypes, applications, geo, match domain
> malware lists, protocols, flags, payload statistics, so many things it
> would be impossible to list them all.  In snort it's used so even if
> traffic isnt on the typical port used by ssh for example, its still
> identified as such so it can't be fooled by our wonderful advanced
> adversaries we are looking to thwart.
>
> Paul
>
>
>
> On Sun, Dec 6, 2015 at 11:53 AM, Rafael Leiva-Ochoa <spawn at ...17369...
> <javascript:_e(%7B%7D,'cvml','spawn at ...17369...');>> wrote:
>
>> Any takers...
>>
>>
>> On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn at ...17369...
>> <javascript:_e(%7B%7D,'cvml','spawn at ...17369...');>> wrote:
>>
>>> Hi All,
>>>
>>>     I am trying to understand how "metadata: service http"  and other
>>> service types work.
>>>
>>> I tried reading these documents:
>>>
>>> http://manual.snort.org/node323.html
>>>
>>> and
>>>
>>> http://manual.snort.org/node22.html#targetbased
>>>
>>> But, I am still a bit confused..: (
>>>
>>> As I read, the document, it stated the following: "The service Metadata
>>> Key is only meaningful when a Host Attribute Table is provided".
>>>
>>> The confusing part is a lot of Talos signatures us "metadata:
>>> service http", but there is no Host Attribute Tables created for that by
>>> default when I installed snort. How are those signatures going to work
>>> without it?
>>>
>>> On the snort.conf there is no setting to tell snort to load the
>>> Attributes XML's. How is that done?
>>>
>>> I also tried creating a custom rule on the local.rules file to better my
>>> understanding of "metadata service" using "ssh",  but it does not fire when
>>> I use it. It only works when I remove the "service ssh".
>>>
>>> here is the rule:
>>>
>>> alert tcp $HOME_NET any -> $HOME_NET 22 ( \
>>>
>>>         msg:"SSH Brute Force Attempt"; \
>>>
>>>         flow:established,to_server; \
>>>
>>>         content:"SSH"; nocase; offset:0; depth:4; \
>>>
>>>         detection_filter:track by_src, count 3, seconds 60; \
>>>
>>>         sid:1000001; metadata:service ssh; rev:1;)
>>> My understanding of metadata is that it is used to detect that someone
>>> is using a service not based on the port, but based on what the protocol is
>>> exhibiting. From example, if I ssh to a server using port 4598, which is
>>> not a standard ssh port, the "metadata service ssh" will be able to see it
>>> is ssh even though I had port 22 on the signature for the destination port.
>>>
>>> Any input and answers would be great.
>>>
>>> Thanks,
>>>
>>> Rafael
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151206/b5121985/attachment.html>


More information about the Snort-users mailing list