|Main Archive Page > Month Archives > snort-users archives|
On Mar 24, 2010, at 2:11 PM, Jason Wallace wrote:
> 1) I know that it plays into frag3, stream5, http_inspect, and rules.
> But does it also have an affect on?:
> I assume it would at least affect the "ports" option of these.
According to the 2.8.6 docs, it affects exactly what you put in your initial comment above (after the 1). I don't see, according to documentation, that it affects other preprocessors. I did not look at the code however.
> 2) I suspect, now that we have hogger to help out, more people will be
> migrating to using the host attribute table.
I hope so.
> Right now I have a pretty
> complicated snort.conf to do what the host attribute table would do.
> For those migrating, does it make sense to simplify our detailed
> preprocessor setups to just match the most common hosts and let the
> the table handle the rest?
> 3) Kind of the same question as #2 but in relation to "var"'s. Since
> the table would have the IP and ports for these servers/services, does
> the host attribute table make the following pointless to define?
> var DNS_SERVERS
> var SMTP_SERVERS
> var HTTP_SERVERS
> var SQL_SERVERS
> var TELNET_SERVERS
> var FTP_SERVERS
> var SNMP_SERVERS
> portvar HTTP_PORTS
> portvar ORACLE_PORTS
> portvar FTP_PORTS
> I know without the host attribute table it is a good idea to
> specifically define the "*_SERVERS" vars to cut down on what is
> inspected, but with a host attribute table could you just set those to
> $HOME_NET and be done with them?
I would say yes, they are still important to configure. However, since you have such a detailed Snort.conf, I would be interested in you testing both and letting us know your results.
-- Joel Esler http://blog.joelesler.net
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: