OK - in that case the manual is kind of misleading. From section 2.5 of the
2.8.1rc manual:
---8<---
"For rule evaluation, service information is used instead of the ports when
the protocol metadata in the rule matches the service corresponding to the
trafïc. If the rule doesnât have protocol metadata, or the trafïc
doesnât
have any matching service information, the rule relies on the port
information."
---8<---
This way of being able to write rules based on the service, not just the port,
makes very much sense. Also the ability to make use of other context data in
rules, such as only triggering Windows alerts for Windows systems, is to my
understanding something Sourcefire are already pushing as a great advantage
in their commercial products. I guess I was hoping for Snort to make use of
that as well.
Cheers,
Patrik
On Wednesday 26 March 2008 22.29.59 Justin Heath wrote:
This should not affect your rule writing. However, dynamic attributes
should help define your stream and frag policies on the fly with the
assistance of an asset identification tool.
Cheers,
Justin
On Wed, Mar 26, 2008 at 2:14 PM, Patrik NordlÃn <patrik.nordlen@sentor.se>
wrote:
On Wednesday 12 March 2008 16.18.26 Snort Releases wrote:
Hi everybody,
A release candidate version of Snort 2.8.1 is now available on
snort.org, at http://www.snort.org/dl/
Feature highlights:
* Support for target-based attribute tables
[...]
This feature seems VERY cool and a great step forward for Snort! I
browsed through the manual for 2.8.1rc and found some information on how
the file containing the attribute tables should be formatted - however I
found no further information on how to actually use this new
functionality when writing rules. I guess this will be added in the
documentation before the final 2.8 comes out, but could someone in the
know shed some light on this until then? Also, I'm curious as to whether
this means all current rules will
soon be rewritten to use these attributes primarily.
Cheers,
Patrik
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketpl
ace _______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort
-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
smime.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
