I just put up my new FOSS, Hogger, on google code. While it's still in beta, I think the functionality lent itself to distribution before I finished the intended feature set. Last week while I was at Snort IDS/IPS + Rules Writing class from Sourcefire, I found out that pretty much the best way to make a giant leap towards tuning a Snort installation is tuning the pre-processors (namely frag3 and stream5); since natively an IDS doesn't know how each host will reassemble fragmented packets or reassemble streams, they usually are set to some default -- not that good if you want reliable results. The long way of tuning this is adding an entry for each host or group of hosts in your config file -- not really appealing to me -- the other option was write an XML file detailing the attributes of all of your hosts -- also not that appealing, as who likes writing XML?
So, with a little inspiration from the instructor I set out to write Hogger, which currently takes the output file from an nmap scan and parses it for host information, and then creates a Host Attribute Table in XML format for Snort to read.
Now to be able to use the Host Attribute table, you need to have Snort compiled with –enable-targetbased. Once that is done, just add the line attribute_table filename /path/to/file to your snort.conf file.
Word of caution here, is that filename actually has to be present, do not substitute this for the name of your file.
And if you don't believe me that the Host Attribute Table will completely rock your socks off, check out Joel Esler's post at Computer World.
No comments:
Post a Comment