[Snort-users] Understanding MetaData

Rafael Leiva-Ochoa spawn at ...17369...
Mon Dec 7 11:38:53 EST 2015


I have openappid enabled....: )

On Monday, December 7, 2015, Joel Esler (jesler) <jesler at ...589...> wrote:

> If you don’t have a host attribute table, and no openappid, then Snort
> falls back to the old method of detection (port based)
>
>
> --
> *Joel Esler*
> Manager, Talos Group
>
>
>
>
> On Dec 6, 2015, at 1:57 PM, Rafael Leiva-Ochoa <spawn at ...17369...
> <javascript:_e(%7B%7D,'cvml','spawn at ...17369...');>> wrote:
>
> Thanks Paul for the explanation. I guess what confuses me the most is that
> when I read the documentation, it's stated that I needed a host attribute
> table in order for the meta-data service to work. Is that still the case?
> The reason I ask is because I see a lot of signatures that have meta-data
> service, but there is no host attribute table that is created by snort when
> I compiled it. I only see an example attribute table that can be used in
> order to make custom attribute tables.
>
>  I also don't understand how snort knows where the host attributes
> tables are if there's nothing in the configuration in the
> snort.conf that points to it.
>
> I want to create custom signatures that can use metadata service in order
> to better accurately identify applications not based on port, but based on
> their behavior characteristics as you explained, but it doesn't seem to be
> working when I use Medela service on custom signatures.
>
> On Sunday, December 6, 2015, paul meding <medingtac at ...11827...
> <javascript:_e(%7B%7D,'cvml','medingtac at ...11827...');>> wrote:
>
>> Not snort answer per se but metadata is to bring context to network
>> traffic.  Magic numbers can identify applications, filetypes, etc based
>> upon the offsets that are used in their implementations.  in this way if
>> someone renames for example a .zip file as a .abc to bypass filtering,
>> metadata creation will still identify it as a .zip file due to the raw
>> packets.  same way that if someone sends http traffic across a non http
>> port ...it is still identified as http just over non standard port.  Snort
>> can create and act off metadata as well as some other network free tools
>> like netminer and RSA's investigator that you c an download and further see
>> how metadata can make your analysis much more effective and make you a
>> faster analyst.
>>
>> meta can be used to identify filetypes, applications, geo, match domain
>> malware lists, protocols, flags, payload statistics, so many things it
>> would be impossible to list them all.  In snort it's used so even if
>> traffic isnt on the typical port used by ssh for example, its still
>> identified as such so it can't be fooled by our wonderful advanced
>> adversaries we are looking to thwart.
>>
>> Paul
>>
>>
>>
>> On Sun, Dec 6, 2015 at 11:53 AM, Rafael Leiva-Ochoa <spawn at ...17369...>
>> wrote:
>>
>>> Any takers...
>>>
>>>
>>> On Friday, December 4, 2015, Rafael Leiva-Ochoa <spawn at ...17369...>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>>     I am trying to understand how "metadata: service http"  and other
>>>> service types work.
>>>>
>>>> I tried reading these documents:
>>>>
>>>> http://manual.snort.org/node323.html
>>>>
>>>> and
>>>>
>>>> http://manual.snort.org/node22.html#targetbased
>>>>
>>>> But, I am still a bit confused..: (
>>>>
>>>> As I read, the document, it stated the following: "The service Metadata
>>>> Key is only meaningful when a Host Attribute Table is provided".
>>>>
>>>> The confusing part is a lot of Talos signatures us "metadata:
>>>> service http", but there is no Host Attribute Tables created for that by
>>>> default when I installed snort. How are those signatures going to work
>>>> without it?
>>>>
>>>> On the snort.conf there is no setting to tell snort to load the
>>>> Attributes XML's. How is that done?
>>>>
>>>> I also tried creating a custom rule on the local.rules file to better
>>>> my understanding of "metadata service" using "ssh",  but it does not fire
>>>> when I use it. It only works when I remove the "service ssh".
>>>>
>>>> here is the rule:
>>>>
>>>> alert tcp $HOME_NET any -> $HOME_NET 22 ( \
>>>>
>>>>         msg:"SSH Brute Force Attempt"; \
>>>>
>>>>         flow:established,to_server; \
>>>>
>>>>         content:"SSH"; nocase; offset:0; depth:4; \
>>>>
>>>>         detection_filter:track by_src, count 3, seconds 60; \
>>>>
>>>>         sid:1000001; metadata:service ssh; rev:1;)
>>>> My understanding of metadata is that it is used to detect that someone
>>>> is using a service not based on the port, but based on what the protocol is
>>>> exhibiting. From example, if I ssh to a server using port 4598, which is
>>>> not a standard ssh port, the "metadata service ssh" will be able to see it
>>>> is ssh even though I had port 22 on the signature for the destination port.
>>>>
>>>> Any input and answers would be great.
>>>>
>>>> Thanks,
>>>>
>>>> Rafael
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>>> Use one codebase in this all-in-one HTML5 development environment.
>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>>> OSs.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/284ccd5f/attachment.html>


More information about the Snort-users mailing list