Snort mailing list archives
Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor
From: Evgeniy Sudyr <eject.in.ua () gmail com>
Date: Fri, 6 Nov 2015 15:04:46 +0100
If I understood you correctly then you need check config policy_mode:tap More details there: http://manual.snort.org/node11.html On Fri, Nov 6, 2015 at 1:55 PM, Timo <snort () iu1 de> wrote:
Hi, this is my first post. Hope I do correct. I have a problem with preprocessor reputation. I set everything up, but no alerts about blocked IPs. Other alerts show up fine. # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ scan_local, \ priority whitelist, \ nested_ip both, \ whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \ blacklist $BLACK_LIST_PATH/iplists/default.blacklist default.blacklist currently contains one IP for testing. (Plain IP xxx.xxx.xxx.xxx.) default.whitelist is empty. I use pulledpork for rules. So all rules are in snort.rules. Within snort.rules there are the corresponding rules for preprocessor reputation: alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) For GUI I use Snorby. Logoutput goes to unified2: output unified2: filename snort.u2, limit 128 I use barnyard to send logs to mysql: output database: log, mysql, user=xxxx password=xxxx dbname=xxxx host=localhost Alerts work fine for standard snort rules. Also preprocessor alerts are logged. For example I had a lot of stream5 alerts in the past. I disabled them by using threshold.conf: ... suppress gen_id 129, sig_id 0 ... #suppress gen_id 136, sig_id 0 ... In order to receive alerts from repuation preprocessor I do NOT suprees id 136. But there are no alerts about IPs within blacklist. grep 136 gen-msg.map 136 || 1 || reputation: Packet is blacklisted 136 || 2 || reputation: Packet is whitelisted This is how I run Snort: /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D So it runs in IDS mode. What am I doing wrong? I don't want to drop blacklisted IPs. I just want alerts about blacklisted IPs. I want to know, if a host contacts a CNC server or something. Any ideas? Cheers Timo ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- -- With regards, Eugene Sudyr
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Evgeniy Sudyr (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Joel Esler (jesler) (Nov 09)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 11)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Joel Esler (jesler) (Nov 11)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Evgeniy Sudyr (Nov 06)