Snort mailing list archives
Re: Metadata field in rules to identify target?
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Fri, 19 Feb 2010 16:51:05 -0500
You can also use the metadata keyword in the snort-rule if you want. Its a free text field. metadata:SOME KEY, SOME VALUE; Cheers, -matt On Fri, Feb 19, 2010 at 4:27 PM, Joel Esler <jesler () sourcefire com> wrote:
You could use the msg field to give a more specific indicator as to thr purpose of the rule. "Exploit for IIS inbound". For example. -- Joel Esler 302-223-5974 Sent from my iPhone On Feb 19, 2010, at 3:04 PM, Williams Jon <WilliamsJonathan () JohnDeere com > wrote:While I was discussing snort rules with some friends, I got to thinking: would it be possible to add a metadata field to a snort rule that would allow me to identify which end of the conversation is the actual target of the activity (i.e. the source or destination IP address)? The reason this comes up is that I’ll sometimes need t o write rules where the source of the packet is actually the target of the attack, for example looking for a response that indicates tha t an attack succeeded. Much of the time, analysis tools presume tha t the source of the packet is the source of the attack, and in this case, it’s obviously not the case. With such a beast in place, I could focus on alerts/attacker, attackers/victim, etc. rather than the more mundane src/dst notation. Thoughts? Jon ------------------------------------ Data is the pollution of the information age. -- Bruce Schneier --- --- --- --------------------------------------------------------------------- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Metadata field in rules to identify target? Williams Jon (Feb 19)
- Re: Metadata field in rules to identify target? Joel Esler (Feb 19)
- Re: Metadata field in rules to identify target? Matt Watchinski (Feb 19)
- Re: Metadata field in rules to identify target? Joel Esler (Feb 19)