Reputation clarification

["Lay, James" <james.lay () wincofoods com>]

Hey all!

So…I’m doing my upgrade to 2.9.1….very excited.  A (possibly idiotic ;)) question I have on the Reputation 
preprocessor…this is really just an IP based black/whitelist yes?  If so, what would be the difference for 
“whitelisting” via startup command verses using the whitelist, say with:

snort –c snort.conf ip and not host bleh

Also, if I’m reading the below right, does this mean that EVERY time a packet goes to google.com I’ll get an alert?  
Thanks all.

James

From the manual:
Use case
A user wants to protect his/her network from unwanted/unknown IPs, only allowing some trusted IPs. Here is
the configuration:

preprocessor reputation: \
blacklist /etc/snort/default.blacklist
whitelist /etc/snort/default.whitelist
In file "default.blacklist"
# These two entries will match all ipv4 addresses
1.0.0.0/1
128.0.0.0/1

In file "default.whitelist"
68.177.102.22 # sourcefire.com
74.125.93.104 # google.com

Reputation preprocessor uses GID 136 to register events.
SID Description
1 Packet is blacklisted.
2 Packet is whitelisted.
------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!