Re: [Snort-users] Snort Host Attribute table

On Mar 24, 2010, at 2:11 PM, Jason Wallace wrote:
> 1) I know that it plays into frag3, stream5, http_inspect, and rules.
> But does it also have an affect on?:
>
> ftp_telnet
> ftp_telnet_protocol
> smtp
> ssh
> dcerpc2
> dcerpc2_server
> dns
> ssl
>
> I assume it would at least affect the "ports" option of these.
>

According to the 2.8.6 docs, it affects exactly what you put in your initial comment above (after the 1). I don't see, according to documentation, that it affects other preprocessors. I did not look at the code however.

> 2) I suspect, now that we have hogger to help out, more people will be
> migrating to using the host attribute table.

I hope so.

> Right now I have a pretty
> complicated snort.conf to do what the host attribute table would do.
> For those migrating, does it make sense to simplify our detailed
> preprocessor setups to just match the most common hosts and let the
> the table handle the rest?

Exactly.

>
> 3) Kind of the same question as #2 but in relation to "var"'s. Since
> the table would have the IP and ports for these servers/services, does
> the host attribute table make the following pointless to define?
>
> var DNS_SERVERS
> var SMTP_SERVERS
> var HTTP_SERVERS
> var SQL_SERVERS
> var TELNET_SERVERS
> var FTP_SERVERS
> var SNMP_SERVERS
> portvar HTTP_PORTS
> portvar ORACLE_PORTS
> portvar FTP_PORTS
>
> I know without the host attribute table it is a good idea to
> specifically define the "*_SERVERS" vars to cut down on what is
> inspected, but with a host attribute table could you just set those to
> $HOME_NET and be done with them?

I would say yes, they are still important to configure. However, since you have such a detailed Snort.conf, I would be interested in you testing both and letting us know your results.

-- Joel Esler http://blog.joelesler.net

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• This message: [ Message body ]
• Next message: Joel Esler: "Re: [Snort-users] Snort-users Digest, Vol 46, Issue 32"
• Previous message: Joel Esler: "Re: [Snort-users] Help interpreting snort statistics"
• In reply to: Jason Wallace: "Re: [Snort-users] Snort Host Attribute table"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]