Re: Reputation Preprocessor

[Hui Cao <hcao () sourcefire com>]

Hi Shlomi,

If you want to enable/log events, you need to enable the reputation
preprocessor alerts.

The following line might help you:

alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; )
alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; )

See README.reputation for how to use reputation preprocessor.

Best,

Hui.

On Wed, Dec 7, 2011 at 6:29 PM, Joel Esler <jesler () sourcefire com> wrote:
> In its present release (updates will be coming!) it's most used for inline mode. Blacklist blocks ips, whitelist 
> doesn't inspect the traffic at all and allows it to pass.
>
> --
> Joel Esler
>
> On Dec 7, 2011, at 5:56 PM, Shlomi Musseri <musseri10 () gmail com> wrote:
>
> > Hi Guys,
> >
> > We work with snort in port mirroring mode. We have a lot of packet drop because we using  a lot of IP blacklist 
> > rules.
> > In the new version of snort 2.9.2.1 we try to use the Reputation Preprocessor that will help us to runs IP  
> > Reputation before other preprocessors.
> > The preprocessor doesn't write any logs.
> > Why we don't see any output from the Reputation Preprocessor?? Can it run port mirroring mode ??
> >
> > Thanks,
> >
> > Shlomi
> >
> > ------------------------------------------------------------------------------
> > Cloud Services Checklist: Pricing and Packaging Optimization
> > This white paper is intended to serve as a reference, checklist and point of
> > discussion for anyone considering optimizing the pricing and packaging model
> > of a cloud services business. Read Now!
> > http://www.accelacomm.com/jaw/sfnl/114/51491232/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Cloud Services Checklist: Pricing and Packaging Optimization
> This white paper is intended to serve as a reference, checklist and point of
> discussion for anyone considering optimizing the pricing and packaging model
> of a cloud services business. Read Now!
> http://www.accelacomm.com/jaw/sfnl/114/51491232/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!