Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: reputation preprocessor and IDS

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Jun 2013 18:20:12 -0400
On Jun 4, 2013, at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 6/4/2013 15:36, JJC wrote:

Yes, the IP Rep preprocessor works in passive mode just like it does in inline
mode, other than drop of course.


correct on the drop method... we don't even use it :)

i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1 to 
the latest snort versions... i whitelisted a CIDR block and they still generate 
alerts... specifically, we saw alerts on 129:20 when snort was reloading after 
setting the CIDR block in the whitelist file and bouncing snort with a complete 
exit and startup... we've also seen 128:4 when sshing into that sensor on a 
non-standard port but we DO have that non-standard port listed in the ssh config 
section of snort.conf... these alerts happen for only a short time and then 
snort seems to settle down and stop issuing them even though those same 
connections are still active or being terminated and restarted again...


Whitelist doesn't mean "totally ignore these hosts", whitelist is used in the term of "these things in this whitelist?  
yeah, they never get blacklisted"

If you want to ignore a host, bpf it out like normal.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: