Snort mailing list archives

Re: Problem with reputation preprocessor in snort version 2.9.8.0 ??

From: Timo <snort () iu1 de>
Date: Wed, 9 Dec 2015 13:39:43 +0100

Found the issue. I temporarly disabled all the snort rules. Only 
additional rules where enabled. So all the decoder rules where mission. 
So no alerts. With default snort rules all is fine now. Sorry. :)





Am 09.12.2015 um 11:03 schrieb Timo:

Hi,

i just updated from Snort 2.9.7.6 to 2.9.8.0 (did the update from one 
to another machine - but same OS - Ubuntu 14 LTS). I copied the 
configuration from old version to new version. Everything seems to 
work but the reputation preprocessor. I receive absolutly no alerts 
about IPs listed in my ipblacklist.
I also tested with "/usr/local/bin/snort -u snort -g snort -c 
/etc/snort/snort.conf -i eth0 -A console". Rules alert fine, but 
blocked IPs not.
Is there a known issue with reputation preprocessor in this version?

This is my config:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   scan_local, \
   priority whitelist, \
   nested_ip both, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
   blacklist $BLACK_LIST_PATH/iplists/default.blacklist, \
   blacklist $BLACK_LIST_PATH/iplists/additional.blacklist

default.whitelist is empty.
default.blacklist is around 588KB
additional.blacklist is around 360KB

gen-msg.map:
...
136 || 1 || reputation: Packet is blacklisted
136 || 2 || reputation: Packet is whitelisted
...

threshold.conf:
#suppress gen_id 129, sig_id 12
#suppress gen_id 129, sig_id 15
suppress gen_id 105, sig_id 0
suppress gen_id 106, sig_id 0
suppress gen_id 112, sig_id 0
suppress gen_id 116, sig_id 0
suppress gen_id 119, sig_id 0
suppress gen_id 120, sig_id 0
suppress gen_id 122, sig_id 0
suppress gen_id 123, sig_id 0
suppress gen_id 124, sig_id 0
suppress gen_id 125, sig_id 0
suppress gen_id 126, sig_id 0
suppress gen_id 127, sig_id 0
suppress gen_id 128, sig_id 0
suppress gen_id 129, sig_id 0
suppress gen_id 131, sig_id 0
suppress gen_id 132, sig_id 0
suppress gen_id 133, sig_id 0
suppress gen_id 134, sig_id 0
#suppress gen_id 136, sig_id 0
suppress gen_id 137, sig_id 0
suppress gen_id 139, sig_id 0
suppress gen_id 140, sig_id 0
suppress gen_id 141, sig_id 0
suppress gen_id 142, sig_id 0
suppress gen_id 143, sig_id 0
suppress gen_id 1, sig_id 1852

cheers
Timo



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Problem with reputation preprocessor in snort version 2.9.8.0 ?? Timo (Dec 09)
- Re: Problem with reputation preprocessor in snort version 2.9.8.0 ?? Timo (Dec 09)