Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] metadata questions

58 views
Skip to first unread message

Morris, Shane (US SSA)

unread,
May 30, 2013, 2:32:15 PM5/30/13
to

1.       According to the snort manual the metadata key values are engine, soid and service but Ive seen rules written with other options like “metadata: author snortguru”. Is there a list of available keys or are all keys other than engine, soid and service treated as comments.

 

2.       If I am writing a rule that I want to fire on HTTP and non-HTTP traffic how could I do this since you have to use metadata and specify a service in the newest version of Snort?

 

Joel Esler

unread,
May 30, 2013, 2:51:34 PM5/30/13
to
On May 30, 2013, at 2:32 PM, "Morris, Shane (US SSA)" <shane....@baesystems.com> wrote:

1.       According to the snort manual the metadata key values are engine, soid and service but Ive seen rules written with other options like “metadata: author snortguru”. Is there a list of available keys or are all keys other than engine, soid and service treated as comments.

It's a free flowing text field.  The only field that Open Source Snort uses is "service", and only if you have Adaptive profiling turned on with a host attribute table.

 2.       If I am writing a rule that I want to fire on HTTP and non-HTTP traffic how could I do this since you have to use metadata and specify a service in the newest version of Snort?

Can you give me an example?  (you only have to specify a service in the >=5.x Sourcefire product, this does not effect Open Source Snort)

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

Morris, Shane (US SSA)

unread,
May 30, 2013, 8:34:32 PM5/30/13
to

I have SF 5.x and OpenSrc Snort so that’s good to know about OS Snort; I thought it was the same requirement in the newest version of Snort.

 

Example:

content: “hello”; metadata: service http;

If we want this to fire in both http and non http streams (non-defined protocol), how do we do this?

 

-Shane

Joel Esler

unread,
May 31, 2013, 11:02:15 AM5/31/13
to
On May 30, 2013, at 8:34 PM, "Morris, Shane (US SSA)" <shane....@baesystems.com> wrote:

If we want this to fire in both http and non http streams (non-defined protocol), how do we do this?

A rule with metadata should fire on both.  I think.  I'd have to test it.


Morris, Shane (US SSA)

unread,
May 31, 2013, 1:31:43 PM5/31/13
to

I think your right if I use a metadata with some informational key like “metadata:author me” it should because like you said Snort doesn’t require you to specify a service.

 

I know this is a bit out of scope for this forum but could you tell me how I could do this in SF 5.x because you have to specify a service?

 

Thanks, Shane

 

From: Joel Esler [mailto:jes...@sourcefire.com]
Sent: Friday, May 31, 2013 11:02 AM
To: Morris, Shane (US SSA)
Cc: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] metadata questions

 

On May 30, 2013, at 8:34 PM, "Morris, Shane (US SSA)" <shane....@baesystems.com> wrote:



If we want this to fire in both http and non http streams (non-defined protocol), how do we do this?

Joel Esler

unread,
May 31, 2013, 2:28:14 PM5/31/13
to
On May 31, 2013, at 1:31 PM, "Morris, Shane (US SSA)" <shane....@baesystems.com> wrote:

I think your right if I use a metadata with some informational key like “metadata:author me” it should because like you said Snort doesn’t require you to specify a service.
 
I know this is a bit out of scope for this forum but could you tell me how I could do this in SF 5.x because you have to specify a service?

Okay, so some clarification, if the rule specifies a service in 5.x, it will only be evaluated if the service matches.
0 new messages