Snort mailing list archives
Unexpected results with reputation preprocessor
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Sat, 15 Mar 2014 15:56:40 -0400
Early this morning, I got a number of "reputation: Packet is blacklisted" alerts in BASE for a single external address that was attempting to communicate with my mail gateway over port 25. At first, it seemed to me that the traffic wasn't dropped as reported, because half of the alerts are on outbound traffic. But I see no evidence in my maillog of inbound or outbound connections involving the offending address. So, although the inbound connection attempts were successfully blocked by the reputation preprocessor, the alerts on the outbound traffic are erroneous, and must have been generated in error by Snort. Any ideas why this might have happened? I'm using Snort 2.9.6.0, DAQ 2.02 and barnyard2 2.1.13 on Ubuntu 10.04.3. According to my alert.fast file, barnyard2 reported the events accurately as recorded by Snort. Snort was configured with --enable-sourcefire and --enable-reload. Here are some applicable settings:
From snort.conf:
var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules preprocessor reputation: \ memcap 500, \ priority blacklist, \ white unblack, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/default.whitelist, \ blacklist $BLACK_LIST_PATH/default.blacklist My default.blacklist contains the offending external address. My default.whitelist file is empty. PREPROC_RULE_PATH is set in snort.conf but never used, and that path contains no files.
From snort.rules:
drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Thanks in advance...
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unexpected results with reputation preprocessor Dave Corsello (Mar 15)
- Re: Unexpected results with reputation preprocessor Dave Corsello (Mar 19)
- Re: Unexpected results with reputation preprocessor Joel Esler (jesler) (Mar 19)
- Re: Unexpected results with reputation preprocessor James Lay (Mar 19)
- Re: Unexpected results with reputation preprocessor Dave Corsello (Mar 19)
- Re: Unexpected results with reputation preprocessor Dave Corsello (Mar 19)
- Re: Unexpected results with reputation preprocessor James Lay (Mar 19)
- Re: Unexpected results with reputation preprocessor Dave Corsello (Mar 19)
- Re: Unexpected results with reputation preprocessor Joel Esler (jesler) (Mar 19)
- Re: Unexpected results with reputation preprocessor Dave Corsello (Mar 19)
- Re: Unexpected results with reputation preprocessor Joel Esler (jesler) (Mar 19)
- Re: Unexpected results with reputation preprocessor Joel Esler (jesler) (Mar 19)
- Re: Unexpected results with reputation preprocessor Dave Corsello (Mar 19)