Snort mailing list archives
Re: reputation preprocessor and IDS
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Jun 2013 21:07:06 -0400
On 6/4/2013 16:17, Russ Combs wrote:
On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote: i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1 to the latest snort versions... i whitelisted a CIDR block and they still generate alerts... specifically, we saw alerts on 129:20 when snort was reloading after setting the CIDR block in the whitelist file and bouncing snort with a complete exit and startup... we've also seen 128:4 when sshing into that sensor on a non-standard port but we DO have that non-standard port listed in the ssh config section of snort.conf... these alerts happen for only a short time and then snort seems to settle down and stop issuing them even though those same connections are still active or being terminated and restarted again... Do you have stream5_tcp: require_3whs set? That might help reach steady state sooner.
yes, that has been part of our config files since it was introduced...
i've just tested again an hour after the above alerts were logged and am seeing the same alerts as noted above... the traffic is very light compared to what many systems see... it is only a 100M internal LAN... there /may/ be some swapping going on on that test sensor... i'm seeing 7M of swap space currently used but i really don't think that that is getting in the way here... Do you have reputation: white trust set? Default is to unblack (not trust).
ahhh... it is at the default... whitelist is the only one with any entries and the settings are the defaults in the distributed snort.conf... i will have to check that out... the term 'unblack' seemed to mean 'treat the entry as not black if it is listed in the blacklist'... in other words, it is 'white' and therefore trusted... the documentation could use some work in this area ;)
Also, you may need to set reputation: scan_local if the alerts are on local addresses.
well, it is a local LAN... snort is looking only at the traffic outside of its machine... not on its interior protected LAN... the addresses are RFC1918 but not within the netblock protected by snort... eg: 192.168.100.0/24 -> sensor -> 192.168.200.0/24 the sensor's external address is 192.168.100.23/255.255.255.0 and its internal address is 192.168.200.1/255.255.255.0... yes, this sensor is a firewall/NAT_router device... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS JJC (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS Russ Combs (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS Joel Esler (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS JJC (Jun 04)