Snort mailing list archives
Attribute Table question
From: SnortFan <SnortFan () yahoo com>
Date: Thu, 14 Nov 2013 11:07:07 -0500
Hi All,
I've got a question regarding the attribute table feature of snort.
I work at a company where the group (mine) that is responsible for running the snort sensors is not the group that
administers the network and servers we monitor. In fact each department has their open IT shop and we are tasked to
monitor traffic between departments, coming in and going out of the company. We have not been using the attribute table
feature in snort. We want to see alerts on all traffic regardless on type and we don't know what IP is hosting what
service. It looks like using the attributes table would make rules that don't fit it's expected protocol type to be
ignored.
One of the departments is now putting in a commercial source fire product and wants our custom rules with metadata:
service tags to monitor their internal traffic.
1. In our situation where we don't control the ever changing IP space we monitor would using the attributes table
feature be even possible or helpful?
2. Would adding the "metadata: service " tags to our rules break anything if we don't have any entries in the attribute
table?
3. Am I totally miss understanding what the attribute table does?
Thanks,
Ed
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Attribute Table question SnortFan (Nov 14)
- Re: Attribute Table question Jefferson, Shawn (Nov 14)
- Re: Attribute Table question SnortFan (Nov 18)
- Re: Attribute Table question Joel Esler (jesler) (Nov 18)
- Re: Attribute Table question SnortFan (Nov 18)
- Re: Attribute Table question Jefferson, Shawn (Nov 14)