[Snort-users] Understanding MetaData

Joel Esler (jesler) jesler at ...589...
Mon Dec 7 11:36:46 EST 2015


If you don’t have a host attribute table, and no openappid, then Snort falls back to the old method of detection (port based)


--
Joel Esler
Manager, Talos Group




On Dec 6, 2015, at 1:57 PM, Rafael Leiva-Ochoa <spawn at ...17369...<mailto:spawn at ...17369...>> wrote:

Thanks Paul for the explanation. I guess what confuses me the most is that when I read the documentation, it's stated that I needed a host attribute table in order for the meta-data service to work. Is that still the case? The reason I ask is because I see a lot of signatures that have meta-data service, but there is no host attribute table that is created by snort when I compiled it. I only see an example attribute table that can be used in order to make custom attribute tables.

 I also don't understand how snort knows where the host attributes tables are if there's nothing in the configuration in the snort.conf that points to it.

I want to create custom signatures that can use metadata service in order to better accurately identify applications not based on port, but based on their behavior characteristics as you explained, but it doesn't seem to be working when I use Medela service on custom signatures.

On Sunday, December 6, 2015, paul meding <medingtac at ...11827...<mailto:medingtac at ...11827...>> wrote:
Not snort answer per se but metadata is to bring context to network traffic.  Magic numbers can identify applications, filetypes, etc based upon the offsets that are used in their implementations.  in this way if someone renames for example a .zip file as a .abc to bypass filtering, metadata creation will still identify it as a .zip file due to the raw packets.  same way that if someone sends http traffic across a non http port ...it is still identified as http just over non standard port.  Snort can create and act off metadata as well as some other network free tools like netminer and RSA's investigator that you c an download and further see how metadata can make your analysis much more effective and make you a faster analyst.

meta can be used to identify filetypes, applications, geo, match domain malware lists, protocols, flags, payload statistics, so many things it would be impossible to list them all.  In snort it's used so even if traffic isnt on the typical port used by ssh for example, its still identified as such so it can't be fooled by our wonderful advanced adversaries we are looking to thwart.

Paul



On Sun, Dec 6, 2015 at 11:53 AM, Rafael Leiva-Ochoa <spawn at ...17369...<javascript:_e(%7B%7D,'cvml','spawn at ...17369...');>> wrote:
Any takers...


On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn at ...17369...<javascript:_e(%7B%7D,'cvml','spawn at ...17369...');>> wrote:
Hi All,

    I am trying to understand how "metadata: service http"  and other service types work.

I tried reading these documents:

http://manual.snort.org/node323.html

and

http://manual.snort.org/node22.html#targetbased

But, I am still a bit confused..: (

As I read, the document, it stated the following: "The service Metadata Key is only meaningful when a Host Attribute Table is provided".

The confusing part is a lot of Talos signatures us "metadata: service http", but there is no Host Attribute Tables created for that by default when I installed snort. How are those signatures going to work without it?

On the snort.conf there is no setting to tell snort to load the Attributes XML's. How is that done?

I also tried creating a custom rule on the local.rules file to better my understanding of "metadata service" using "ssh",  but it does not fire when I use it. It only works when I remove the "service ssh".

here is the rule:


alert tcp $HOME_NET any -> $HOME_NET 22 ( \

        msg:"SSH Brute Force Attempt"; \

        flow:established,to_server; \

        content:"SSH"; nocase; offset:0; depth:4; \

        detection_filter:track by_src, count 3, seconds 60; \

        sid:1000001; metadata:service ssh; rev:1;)

My understanding of metadata is that it is used to detect that someone is using a service not based on the port, but based on what the protocol is exhibiting. From example, if I ssh to a server using port 4598, which is not a standard ssh port, the "metadata service ssh" will be able to see it is ssh even though I had port 22 on the signature for the destination port.

Any input and answers would be great.

Thanks,

Rafael

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/423f07df/attachment.html>


More information about the Snort-users mailing list