Host Attribute Table



  • Hi,

    I cannot activate the "Host Attribute Table" in the "Preprocessors and Flow" menu.

    I always get the same error:

    php-fpm[8446]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 49222 -D -l /var/log/snort/snort_re0_vlan40049222 –pid-path /var/run --nolock-pidfile -G 49222 -c /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf -i re0_vlan400' returned exit code '1', the output was ''

    snort[58728]: FATAL ERROR: /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf(307) ==> failed to load attribute table from /usr/local/etc/snort/snort_49222_re0_vlan400/host_attributes

    snort[58728]: /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf(307) ==> Invalid Attribute Table specification: '/usr/local/etc/snort/snort_49222_re0_vlan400/host_attributes'. Please verify the grammar at or near line 0 (tag '<snort_attributes>')</snort_attributes>.

    But I also tried, the "official" example from the Snort Documentation. (–> https://www.snort.org/documents/1  on Page 170)

    Same Error…  :(

    My mistake? Someone can help me?

    Thx!



  • Did you by chance create or upload your Host Attribute table from a Windows machine?  Snort might be getting tripped up on the DOS line endings (CR/LF) versus the typical UNIX line endings (LF only).

    It's been quite some time since I've looked at or tested that code in Snort, but that also means nothing really should have changed there either since it has not been touched.  I know it worked when the feature was first introduced.  I might still have the old Host Attribute table file I tested with.  If so I can test it again in a VM.

    Bill



  • Thx, for reply!

    I just tested again, with the example from the snort documentation.

    Here the example, I tried:

     <snort_attributes><attribute_map><entry><id>1</id>
    <value>Linux</value></entry> 
     <entry><id>2</id>
    <value>ssh</value></entry></attribute_map> 
     <attribute_table><host><ip>192.168.1.234</ip>
     <operating_system><name><attribute_id>1</attribute_id>
    <confidence>100</confidence></name> 
     <vendor><attribute_value>Red Hat</attribute_value>
    <confidence>99</confidence></vendor> 
     <version><attribute_value>2.6</attribute_value>
    <confidence>98</confidence></version> 
    <frag_policy>linux</frag_policy>
    <stream_policy>linux</stream_policy></operating_system> 
     <services><service><port><attribute_value>22</attribute_value>
    <confidence>100</confidence></port> 
     <ipproto><attribute_value>tcp</attribute_value>
    <confidence>100</confidence></ipproto> 
     <protocol><attribute_id>2</attribute_id>
    <confidence>100</confidence></protocol> 
     <application><attribute_value>OpenSSH</attribute_value>
    <confidence>100</confidence>
     <version><attribute_value>3.9p1</attribute_value>
    <confidence>93</confidence></version></application></service> 
     <service><port><attribute_value>2300</attribute_value>
    <confidence>100</confidence></port> 
     <ipproto><attribute_value>tcp</attribute_value>
    <confidence>100</confidence></ipproto> 
     <protocol><attribute_value>telnet</attribute_value>
    <confidence>100</confidence></protocol> 
     <application><attribute_value>telnet</attribute_value>
    <confidence>50</confidence></application></service></services> 
     <clients><client><ipproto><attribute_value>tcp</attribute_value>
    <confidence>100</confidence></ipproto> 
     <protocol><attribute_value>http</attribute_value>
    <confidence>91</confidence></protocol> 
     <application><attribute_value>IE Http Browser</attribute_value>
    <confidence>90</confidence>
     <version><attribute_value>6.0</attribute_value>
    <confidence>89</confidence></version></application></client></clients></host></attribute_table></snort_attributes> 
    

    Yes, the upload was done with a windows machine, but I used "Notepad++" and converted the file to Unix(LF) format, before the upload to snort.  –> Same Error.  :(

    Aug 16 22:37:53 	snort[83947]: /usr/local/etc/snort/snort_49222_re0_vlan400/snort.conf(307) ==> Invalid Attribute Table specification: '/usr/local/etc/snort/snort_49222_re0_vlan400/host_attributes'. Please verify the grammar at or near line 0 (tag '<snort_attributes>').</snort_attributes>
    


  • It looks OK.  Give me a little time to test this in a virtual machine.  Might be something that got inadvertently messed up way back with the Bootstrap conversion of the GUI code.  That was a lot of work done in a hurry, and some insiduous little bugs crept in.

    Bill



  • OK, Thx!  :)



  • This problem is officially kicking my butt …  :'(.

    I can't seem to find why it rejects the Host Attribute Table file.  I even used the one verbatim from the Snort documentation web site, and it still fails to load it.  Still scratching my head trying to find this bug ...

    Bill



  • :'(

    Hmm… Compilation flag missing?

    Note:  To use a host attribute table and service information, Snort must be configured with the -enable-targetbased flag.



  • @Beerman:

    :'(

    Hmm… Compilation flag missing?

    Note:  To use a host attribute table and service information, Snort must be configured with the -enable-targetbased flag.

    No, checked that first.  If that is not turned on, you get a different error about the feature not being recognized.  I made sure the line endings were UNIX – no difference.  Tried several slightly different forms of the XML -- no difference.  I'm wondering if it is an issue within Snort itself.  Wonder if this feature is heavily used?  I will try spinning up a plain vanilla Linux machine and running just the Snort binary to see if it also chokes on the Host Attribute Table file.

    Bill



  • Still have not found the source of this Host Attribute Table validation error.  I went ahead and posted an update with other bug fixes because those needed to get out to users.  I will keep looking for the Host Attribute Table problem.

    Bill



  • Thank you, for your support!  :)