Snort mailing list archives
Re: Reputation clarification
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 7 Sep 2011 14:44:11 -0400
On Wed, Sep 7, 2011 at 12:04 PM, Lay, James <james.lay () wincofoods com>wrote:
Hey all! So…I’m doing my upgrade to 2.9.1….very excited. A (possibly idiotic ;)) question I have on the Reputation preprocessor…this is really just an IP based black/whitelist yes?
Yes - at the moment.
If so, what would be the difference for “whitelisting” via startup command verses using the whitelist, say with: snort –c snort.conf ip and not host bleh
Using a bpf can reduce the number of packets that Snort sees which helps performance. Using reputation is a little more flexible since you can reload the config and change the white/black lists on the fly.
Also, if I’m reading the below right, does this mean that EVERY time a packet goes to google.com I’ll get an alert? Thanks all.
If you enable the alerts, you will get them, subject to any event filters. If you don't want the alerts, don't enable them.
James From the manual: Use case A user wants to protect his/her network from unwanted/unknown IPs, only allowing some trusted IPs. Here is the configuration: preprocessor reputation: \ blacklist /etc/snort/default.blacklist whitelist /etc/snort/default.whitelist In file "default.blacklist" # These two entries will match all ipv4 addresses 1.0.0.0/1 128.0.0.0/1 In file "default.whitelist" 68.177.102.22 # sourcefire.com 74.125.93.104 # google.com Reputation preprocessor uses GID 136 to register events. SID Description 1 Packet is blacklisted. 2 Packet is whitelisted. ------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Reputation clarification Lay, James (Sep 07)
- Re: Reputation clarification Russ Combs (Sep 07)
- Re: Reputation clarification Lay, James (Sep 07)
- Re: Reputation clarification Russ Combs (Sep 07)