Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to alert blacklisted IPs in Snort IDS - Reputation preprocessor

From: Timo <snort () iu1 de>
Date: Fri, 6 Nov 2015 13:55:19 +0100
Hi,

this is my first post. Hope I do correct.

I have a problem with preprocessor reputation. I set everything up, but 
no alerts about blocked IPs. Other alerts show up fine.

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
    memcap 500, \
    scan_local, \
    priority whitelist, \
    nested_ip both, \
    whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
    blacklist $BLACK_LIST_PATH/iplists/default.blacklist

default.blacklist currently contains one IP for testing. (Plain IP 
xxx.xxx.xxx.xxx.)
default.whitelist is empty.

I use pulledpork for rules. So all rules are in snort.rules.
Within snort.rules there are the corresponding rules for preprocessor 
reputation:
alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; 
metadata: rule-type preproc ; classtype:bad-unknown; )
alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; 
metadata: rule-type preproc ; classtype:bad-unknown; )

For GUI I use Snorby.

Logoutput goes to unified2:
output unified2: filename snort.u2, limit 128

I use barnyard to send logs to mysql:
output database: log, mysql, user=xxxx password=xxxx dbname=xxxx 
host=localhost

Alerts work fine for standard snort rules. Also preprocessor alerts are 
logged. For example I had a lot of stream5 alerts in the past. I 
disabled them by using threshold.conf:
...
suppress gen_id 129, sig_id 0
...
#suppress gen_id 136, sig_id 0
...
In order to receive alerts from repuation preprocessor I do NOT suprees 
id 136. But there are no alerts about IPs within blacklist.

grep 136 gen-msg.map
136 || 1 || reputation: Packet is blacklisted
136 || 2 || reputation: Packet is whitelisted

This is how I run Snort:
/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i 
eth1 -D
So it runs in IDS mode.

What am I doing wrong? I don't want to drop blacklisted IPs. I just want 
alerts about blacklisted IPs. I want to know, if a host contacts a CNC 
server or something.

Any ideas?

Cheers
Timo

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: