Snort mailing list archives
Re: Reputation preprocessor isn't blocking traffic
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Tue, 10 Dec 2013 11:57:37 -0500
Yes, they're enabled. They were configured, by default, to alert, but I wasn't getting any alerts. I changed the rule to drop, but no traffic is dropped. I created a simple local rule to see if I can get alerts of any kind on traffic from the same test address that I added to the blacklist: alert tcp XX.XX.XX.XX any -> any any (msg:"testing"; sid:1000002; rev:1;) I'm not getting alerts from this rule. Very strange. I must be missing something. The only thing different about the test address is that it's listed in my local DNS, but that shouldn't make a difference... On 12/9/2013 8:24 PM, Joel Esler (jesler) wrote:
Do you have the two reputation preprocessors rules enabled in preprocessor.rules? -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team Sent from my iPhone.On Dec 7, 2013, at 22:06, "Dave Corsello" <snort-users () wintertreemedia com> wrote: Hi, I'm running Snort 2.9.5.5 inline. My reputation preprocessor doesn't seem to be blocking all of the traffic that it's configured to block. My snort.conf contains: var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/default.whitelist, \ blacklist $BLACK_LIST_PATH/default.blacklist My default.whitelist file is empty. My default.blacklist file contains around 2600 entries, most of which come from labs.snort.org via pulledpork, and two of which I added manually. (I'm just realizing that the two that I added today will probably be lost when pulledpork runs again. But they are currently still there.) When snort initializes, the following messages are displayed: Dec 7 14:11:40 sensor1 snort[14229]: Reputation config: Dec 7 14:11:40 sensor1 snort[14229]: WARNING: /etc/snort/snort.conf(514) => Keyword priority for whitelist is not applied when white action is unblack. Dec 7 14:11:40 sensor1 snort[14229]: Processing whitelist file /etc/snort/rules/default.whitelist Dec 7 14:11:40 sensor1 snort[14229]: Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.whitelist) Dec 7 14:11:40 sensor1 snort[14229]: Processing blacklist file /etc/snort/rules/default.blacklist Dec 7 14:11:40 sensor1 snort[14229]: Reputation entries loaded: 3955, invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.blacklist) Dec 7 14:11:40 sensor1 snort[14229]: Reputation total memory usage: 6156928 bytes Dec 7 14:11:40 sensor1 snort[14229]: Reputation total entries loaded: 3955, invalid: 0, re-defined: 0 Dec 7 14:11:40 sensor1 snort[14229]: Memcap: 500 (Default) M bytes Dec 7 14:11:40 sensor1 snort[14229]: Scan local network: DISABLED (Default) Dec 7 14:11:40 sensor1 snort[14229]: Reputation priority: blacklist Dec 7 14:11:40 sensor1 snort[14229]: Nested IP: inner (Default) Dec 7 14:11:40 sensor1 snort[14229]: White action: unblack (Default) Dec 7 14:11:40 sensor1 snort[14229]: Shared memory is Not supported. When snort is terminated, a non-zero "Number of packets blacklisted" is often included in the statistics. So, it looks like some traffic is being blacklisted. However, it appears that all traffic from the two addresses that I added to the blacklist is being allowed to pass through. The first address is an actual source of annoying traffic. The second is a known good address that I blacklisted for testing. Any ideas why the traffic is not being blocked? --Dave ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Reputation preprocessor isn't blocking traffic Dave Corsello (Dec 07)
- Re: Reputation preprocessor isn't blocking traffic Joel Esler (jesler) (Dec 09)
- Re: Reputation preprocessor isn't blocking traffic Dave Corsello (Dec 10)
- Re: Reputation preprocessor isn't blocking traffic Dave Corsello (Dec 13)
- Re: Reputation preprocessor isn't blocking traffic Dave Corsello (Dec 10)
- Re: Reputation preprocessor isn't blocking traffic Joel Esler (jesler) (Dec 09)