Re: Unexpected results with reputation preprocessor

[James Lay <jlay () slave-tothe-box net>]

On 2014-03-19 13:22, Dave Corsello wrote:
> Thanks Joel and James.  The problem is that according to my maillog 
> the
> preprocessor did its job--the inbound traffic never made it to my
> server, so there was no outbound response traffic.  It looks to me 
> like
> for each inbound packet that the preprocessor reports, it's also
> reporting a second, non-existent packet with all of the same
> information, including timestamp, except that the source and 
> destination
> addresses are reversed.  I also see this at a client location where I
> recently upgraded to 2.9.6.0 and turned on the reputation 
> preprocessor.
> In that case, assuming that the inbound traffic was successfully
> blocked, the preprocessor seems to be reporting a non-existent 
> outbound
> HTTP packet for each blocked inbound packet.

Are you logging to unified?  Would be interesting to see the output of 
that offlist perhaps if it's sensitive.

James


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!