[Snort-users] Hosts Attribute exception/override?

Joel Esler (jesler) jesler at ...589...
Thu Jan 22 20:11:19 EST 2015

:) we are designing something now.  

Joel Esler 
Sent from my iPhone

> On Jan 22, 2015, at 7:29 PM, Jefferson, Shawn <Shawn.Jefferson at ...14448...> wrote:
> Thanks, I’ll try to script that into the process.
> On this topic though, I was thinking, should the hosts attribute system be over-riding ports that are defined in the snort.conf like this?  I can see it adding ports that it knows run a specific service, but if I am telling it that 3128 is an HTTP port in my snort.conf shouldn’t it honor that?
> From: Joel Esler (jesler) [mailto:jesler at ...589...] 
> Sent: January 22, 2015 1:46 PM
> To: Jefferson, Shawn
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Hosts Attribute exception/override?
> Add an additional entry for that port in the Attribute table for that host.
> On Jan 22, 2015, at 2:48 PM, Jefferson, Shawn <Shawn.Jefferson at ...14448...> wrote:
> I recently made some changes on the network, and was trying to get alerting setup for a proxy server.  I had some trouble and finally tracked it down to the hosts attribute entry for my proxy.  I’m using PRADS and shipping that file to all my sensors.  Basically what had happened was that PRADS thinks that the proxy port 3128 is TLS/SSL, which it can be, but it’s also HTTP.  Snort was completely ignoring the HTTP traffic for that port, even though I had 3128 in all the right places in the snort.conf, and treating the proxy as EXTERNAL_NET.
> Is there a method to override the hosts attribute table, or should I strip this system out before sending it to this particular sensor that is watching the proxy traffic?
> Thanks
> Shawn
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150123/ce5627aa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150123/ce5627aa/attachment.bin>

More information about the Snort-users mailing list