Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reputation clarification

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 7 Sep 2011 14:44:11 -0400
On Wed, Sep 7, 2011 at 12:04 PM, Lay, James <james.lay () wincofoods com>wrote:


Hey all!

So…I’m doing my upgrade to 2.9.1….very excited.  A (possibly idiotic ;))
question I have on the Reputation preprocessor…this is really just an IP
based black/whitelist yes?



Yes - at the moment.



 If so, what would be the difference for “whitelisting” via startup command
verses using the whitelist, say with:

snort –c snort.conf ip and not host bleh



Using a bpf can reduce the number of packets that Snort sees which helps
performance.  Using reputation is a little more flexible since you can
reload the config and change the white/black lists on the fly.




Also, if I’m reading the below right, does this mean that EVERY time a
packet goes to google.com I’ll get an alert?  Thanks all.



If you enable the alerts, you will get them, subject to any event filters.
If you don't want the alerts, don't enable them.



James

From the manual:
Use case
A user wants to protect his/her network from unwanted/unknown IPs, only
allowing some trusted IPs. Here is
the configuration:

preprocessor reputation: \
blacklist /etc/snort/default.blacklist
whitelist /etc/snort/default.whitelist
In file "default.blacklist"
# These two entries will match all ipv4 addresses
1.0.0.0/1
128.0.0.0/1

In file "default.whitelist"
68.177.102.22 # sourcefire.com
74.125.93.104 # google.com

Reputation preprocessor uses GID 136 to register events.
SID Description
1 Packet is blacklisted.
2 Packet is whitelisted.

------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: