<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>:) we are designing something now.  <br><br><div>--</div><div><b>Joel Esler</b> </div>Sent from my iPhone</div><div><br>On Jan 22, 2015, at 7:29 PM, Jefferson, Shawn <<a href="mailto:Shawn.Jefferson@...14448...">Shawn.Jefferson@...14448...</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Menlo-Regular;
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks, I’ll try to script that into the process.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">On this topic though, I was thinking, should the hosts attribute system be over-riding ports that are defined in the snort.conf like this?  I can see it adding ports that it knows run a specific service, but if I am telling it that 3128 is an HTTP port in my snort.conf shouldn’t it honor that?<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Joel Esler (jesler) [<a href="mailto:jesler@...589...">mailto:jesler@...589...</a>] <br><b>Sent:</b> January 22, 2015 1:46 PM<br><b>To:</b> Jefferson, Shawn<br><b>Cc:</b> <a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br><b>Subject:</b> Re: [Snort-users] Hosts Attribute exception/override?<o:p></o:p></span></p></div></div><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">Add an additional entry for that port in the Attribute table for that host. <o:p></o:p></p><div><p class="MsoNormal"><o:p> </o:p></p></div><div><p class="MsoNormal"><o:p> </o:p></p><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">On Jan 22, 2015, at 2:48 PM, Jefferson, Shawn <<a href="mailto:Shawn.Jefferson@...14448...">Shawn.Jefferson@...14448...</a>> wrote:<o:p></o:p></p></div><p class="MsoNormal"><o:p> </o:p></p><div><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I recently made some changes on the network, and was trying to get alerting setup for a proxy server.  I had some trouble and finally tracked it down to the hosts attribute entry for my proxy.  I’m using PRADS and shipping that file to all my sensors.  Basically what had happened was that PRADS thinks that the proxy port 3128 is TLS/SSL, which it can be, but it’s also HTTP.  Snort was completely ignoring the HTTP traffic for that port, even though I had 3128 in all the right places in the snort.conf, and treating the proxy as EXTERNAL_NET.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p></div><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p></div><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Is there a method to override the hosts attribute table, or should I strip this system out before sending it to this particular sensor that is watching the proxy traffic?</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p></div><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p></div><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p></div><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Shawn</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p></div><p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif"">------------------------------------------------------------------------------<br>New Year. New Location. New Benefits. New Data Center in Ashburn, VA.<br>GigeNET is offering a free month of service with a new server in Ashburn.<br>Choose from 2 high performing configs, both with 100TB of bandwidth.<br>Higher redundancy.Lower latency.Increased capacity.Completely compliant.<br></span><a href="http://p.sf.net/sfu/gigenet_______________________________________________"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif";color:purple">http://p.sf.net/sfu/gigenet_______________________________________________</span></a><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif""><br>Snort-users mailing list<br></span><a href="mailto:Snort-users@lists.sourceforge.net"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif";color:purple">Snort-users@lists.sourceforge.net</span></a><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif""><br>Go to this URL to change user options or unsubscribe:<br></span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif";color:purple">https://lists.sourceforge.net/lists/listinfo/snort-users</span></a><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif""><br>Snort-users list archive:<br></span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif";color:purple">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</span></a><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif""><br><br>Please visit<span class="apple-converted-space"> </span></span><a href="http://blog.snort.org/"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif";color:purple">http://blog.snort.org</span></a><span class="apple-converted-space"><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif""> </span></span><span style="font-size:8.5pt;font-family:"Menlo-Regular","serif"">to stay current on all the latest Snort news!</span><o:p></o:p></p></div></blockquote></div><p class="MsoNormal"><o:p> </o:p></p></div></div></div></blockquote></body></html>