Snort - Host Attributes Table - inlcude pfsense interfaces as hosts?

maex

Hi,
when creating configuration files using nmap and hogger the interfaces of the pfsense box (which runs snort) get included as hosts too.
Should I leave them in the host attributes table or remove them?
Max

PS:Thanks for the wonderful packages!!

bmeeks

@maex:

Hi,
when creating configuration files using nmap and hogger the interfaces of the pfsense box (which runs snort) get included as hosts too.
Should I leave them in the host attributes table or remove them?
Max

PS:Thanks for the wonderful packages!!

I personally would not include the pfSense interfaces in the Host Attribute Table (but I guess there is no real harm if you do).  The real usefulness for this feature is customizing Snort's detection and preprocessor engines for the various hosts Snort is protecting.

Bill

maex

Thanks a lot, Bill.

Hogger seems to create unusable files.
I am getting:
snort[28040]: FATAL ERROR: /usr/local/etc/snort/snort_7277_igb0/snort.conf(272) ==> failed to load attribute table from /usr/local/etc/snort/snort_7277_igb0/host_attributes

Do you know of a good tutorial on how to create these files?
Especially I lack the orientation on what the possible values are. E.g.  Should I use the nmap value ssl/http or https as protocol?
I only find very few samples. And I wonder if the file format has changed since hogger was published.

Could you please point me to a comprehensive example?

Thank you again.

bmeeks

@maex:

Thanks a lot, Bill.

Hogger seems to create unusable files.
I am getting:
snort[28040]: FATAL ERROR: /usr/local/etc/snort/snort_7277_igb0/snort.conf(272) ==> failed to load attribute table from /usr/local/etc/snort/snort_7277_igb0/host_attributes

Do you know of a good tutorial on how to create these files?
Especially I lack the orientation on what the possible values are. E.g.  Should I use the nmap value ssl/http or https as protocol?
I only find very few samples. And I wonder if the file format has changed since hogger was published.

Could you please point me to a comprehensive example?

Thank you again.

I found this sample file (attached) that was put together from one of the core Snort VRT guys, Joel Esler.  I used it during my testing of the Host Attribute Table feature.  I have not actually done a nmap/hogger run, but will.  I did the nmap scan but then got distracted on another project and never processed it the rest of the way.  I will do so to see what problems, if any, I encounter.

The attached file was copied from this online article from 2010 by Joel:

http://www.csoonline.com/article/546763/tuning-snort-with-host-attribute-tables

I've never run across a really great document reference for the Host Attribute Table.
Bill

HostAttributeTableSetup.txt

maex

Hi Bill,
I tested your file and it does work. Thank you very much.

A readable overview of current nmap detectable OSes can be found here: http://nmap.org/data/os-classes.txt

Found some indications of policies in https://github.com/jasonish/snort/blob/master/src/preprocessors/Stream5/snort_stream5_tcp.c (or download snort source to get it.):
/* enum for policy names */
static char *reassembly_policy_names[] = {
    "no policy!",
    "FIRST",
    "LINUX",
    "BSD",
    "OLD LINUX",
    "LAST",
    "WINDOWS",
    "SOLARIS",
    "HPUX11",
    "IRIX",
    "MACOS",
    "HPUX10",
    "WINDOWS VISTA",
    "WINDOWS 2003"
    "IPS"
};

Would you choose WINDOWS 2003 frag policy for a windows 2008 Server?

Thank you!
BR, Max

bmeeks

@maex:

Hi Bill,
I tested your file and it does work. Thank you very much.

A readable overview of current nmap detectable OSes can be found here: http://nmap.org/data/os-classes.txt

Found some indications of policies in https://github.com/jasonish/snort/blob/master/src/preprocessors/Stream5/snort_stream5_tcp.c (or download snort source to get it.):
/* enum for policy names */
static char *reassembly_policy_names[] = {
    "no policy!",
    "FIRST",
    "LINUX",
    "BSD",
    "OLD LINUX",
    "LAST",
    "WINDOWS",
    "SOLARIS",
    "HPUX11",
    "IRIX",
    "MACOS",
    "HPUX10",
    "WINDOWS VISTA",
    "WINDOWS 2003"
    "IPS"
};

Would you choose WINDOWS 2003 frag policy for a windows 2008 Server?

Thank you!
BR, Max

Just a hunch, and this is not based on any research, but I would choose Windows Vista for Windows 2008 over Windows 2003.  It seems that for a number of other things, Vista and Windows 7 more closely resemble Windows 2008 and 2008 R2 than does Windows 2003.  One place is hardware drivers, for instance.  Usually something that works on Vista has a decent chance of working on 2008, and pretty much any Windows 7 driver is likely to work on 2008.

Bill

maex

Thanks!