Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor

["Hui Cao (huica)" <huica () cisco com>]

What¹s the snort exit stats?

Best,
Hui.

On 11/6/15, 7:55 AM, "Timo" <snort () iu1 de> wrote:

> Hi,
>
> this is my first post. Hope I do correct.
>
> I have a problem with preprocessor reputation. I set everything up, but
> no alerts about blocked IPs. Other alerts show up fine.
>
> # Reputation preprocessor. For more information see README.reputation
> preprocessor reputation: \
>    memcap 500, \
>    scan_local, \
>    priority whitelist, \
>    nested_ip both, \
>    whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
>    blacklist $BLACK_LIST_PATH/iplists/default.blacklist
>
> default.blacklist currently contains one IP for testing. (Plain IP
> xxx.xxx.xxx.xxx.)
> default.whitelist is empty.
>
> I use pulledpork for rules. So all rules are in snort.rules.
> Within snort.rules there are the corresponding rules for preprocessor
> reputation:
> alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
> metadata: rule-type preproc ; classtype:bad-unknown; )
> alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1;
> metadata: rule-type preproc ; classtype:bad-unknown; )
>
> For GUI I use Snorby.
>
> Logoutput goes to unified2:
> output unified2: filename snort.u2, limit 128
>
> I use barnyard to send logs to mysql:
> output database: log, mysql, user=xxxx password=xxxx dbname=xxxx
> host=localhost
>
> Alerts work fine for standard snort rules. Also preprocessor alerts are
> logged. For example I had a lot of stream5 alerts in the past. I
> disabled them by using threshold.conf:
> ...
> suppress gen_id 129, sig_id 0
> ...
> #suppress gen_id 136, sig_id 0
> ...
> In order to receive alerts from repuation preprocessor I do NOT suprees
> id 136. But there are no alerts about IPs within blacklist.
>
> grep 136 gen-msg.map
> 136 || 1 || reputation: Packet is blacklisted
> 136 || 2 || reputation: Packet is whitelisted
>
> This is how I run Snort:
> /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i
> eth1 -D
> So it runs in IDS mode.
>
> What am I doing wrong? I don't want to drop blacklisted IPs. I just want
> alerts about blacklisted IPs. I want to know, if a host contacts a CNC
> server or something.
>
> Any ideas?
>
> Cheers
> Timo
>
> --------------------------------------------------------------------------
> ----
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!