Re: Reputation preprocessor isn't blocking traffic

[Dave Corsello <snort-users () wintertreemedia com>]

Yes, they're enabled.

They were configured, by default, to alert, but I wasn't getting any
alerts.  I changed the rule to drop, but no traffic is dropped.

I created a simple local rule to see if I can get alerts of any kind on
traffic from the same test address that I added to the blacklist: 

    alert tcp XX.XX.XX.XX any -> any any (msg:"testing"; sid:1000002;
rev:1;) 

I'm not getting alerts from this rule.  Very strange.  I must be missing
something.  The only thing different about the test address is that it's
listed in my local DNS, but that shouldn't make a difference...

On 12/9/2013 8:24 PM, Joel Esler (jesler) wrote:
> Do you have the two reputation preprocessors rules enabled in preprocessor.rules?
>
> --
> Joel Esler
> Intelligence Lead
> Open Source Manager
> Vulnerability Research Team
>
> Sent from my iPhone.  
>
> > On Dec 7, 2013, at 22:06, "Dave Corsello" <snort-users () wintertreemedia com> wrote:
> >
> > Hi,
> >
> > I'm running Snort 2.9.5.5 inline.  My reputation preprocessor doesn't
> > seem to be blocking all of the traffic that it's configured to block. 
> > My snort.conf contains:
> >
> > var WHITE_LIST_PATH /etc/snort/rules
> > var BLACK_LIST_PATH /etc/snort/rules
> >
> > preprocessor reputation: \
> >   memcap 500, \
> >   priority whitelist, \
> >   nested_ip inner, \
> >   whitelist $WHITE_LIST_PATH/default.whitelist, \
> >   blacklist $BLACK_LIST_PATH/default.blacklist
> >
> > My default.whitelist file is empty.  My default.blacklist file contains
> > around 2600 entries, most of which come from labs.snort.org via
> > pulledpork, and two of which I added manually.  (I'm just realizing that
> > the two that I added today will probably be lost when pulledpork runs
> > again.  But they are currently still there.)
> >
> > When snort initializes, the following messages are displayed:
> >
> > Dec  7 14:11:40 sensor1 snort[14229]: Reputation config:
> > Dec  7 14:11:40 sensor1 snort[14229]: WARNING:
> > /etc/snort/snort.conf(514) => Keyword priority for whitelist is not
> > applied when white action is unblack.
> > Dec  7 14:11:40 sensor1 snort[14229]:     Processing whitelist file
> > /etc/snort/rules/default.whitelist
> > Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded: 0,
> > invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.whitelist)
> > Dec  7 14:11:40 sensor1 snort[14229]:     Processing blacklist file
> > /etc/snort/rules/default.blacklist
> > Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded:
> > 3955, invalid: 0, re-defined: 0 (from file
> > /etc/snort/rules/default.blacklist)
> > Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total memory usage:
> > 6156928 bytes
> > Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total entries
> > loaded: 3955, invalid: 0, re-defined: 0
> > Dec  7 14:11:40 sensor1 snort[14229]:     Memcap: 500 (Default) M bytes
> > Dec  7 14:11:40 sensor1 snort[14229]:     Scan local network: DISABLED
> > (Default)
> > Dec  7 14:11:40 sensor1 snort[14229]:     Reputation priority:  blacklist
> > Dec  7 14:11:40 sensor1 snort[14229]:     Nested IP: inner (Default)
> > Dec  7 14:11:40 sensor1 snort[14229]:     White action: unblack (Default)
> > Dec  7 14:11:40 sensor1 snort[14229]:     Shared memory is Not supported.
> >
> > When snort is terminated, a non-zero "Number of packets blacklisted" is
> > often included in the statistics.   So, it looks like some traffic is
> > being blacklisted.
> >
> > However, it appears that all traffic from the two addresses that I added
> > to the blacklist is being allowed to pass through.  The first address is
> > an actual source of annoying traffic.  The second is a known good
> > address that I blacklisted for testing.  Any ideas why the traffic is
> > not being blocked?
> >
> > --Dave
> >
> > ------------------------------------------------------------------------------
> > Sponsored by Intel(R) XDK 
> > Develop, test and display web and hybrid apps with a single code base.
> > Download it for free now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!