Snort mailing list archives
Blacklist not working
From: Charlie <ForFun2000 () hotmail com>
Date: Thu, 6 Aug 2015 09:54:42 +0100
HiI am using to use Snort 2.9.7.5 with barnyard2-1.13 on a Linux RaspberryPI2 3.18.11-v7+
In my snort.conf, I have: var RULE_PATH /usr/local/snort/rules ... var WHITE_LIST_PATH /usr/local/snort/rules/iplists var BLACK_LIST_PATH /usr/local/snort/rules/iplists ... preprocessor reputation: \ memcap 500, \ scan_local, \ priority blacklist, \ nested_ip inner, \ blacklist $BLACK_LIST_PATH/default.blacklist ... include $RULE_PATH/blacklist.rules /usr/local/snort/rules/iplists/*default.blacklist* contains: 1.160.114.65 1.174.194.40 1.234.245.2 *...* /usr/local/snort/rules/*blacklist.rules* contains:alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;)
*...* if I try to ping 1.160.114.65, no alert is reported by snortif I try in a browser datajunction.org (-or- datajunction.org:53), I can see the kapersky lab home page and no alert is reported by snort
So now I am suspicious the the blacklist function is not working but why? How would you test the blacklist function? Thanks in advance
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Blacklist not working Charlie (Aug 06)
- Re: Blacklist not working Hui cao (Aug 10)