Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor

[Timo <snort () iu1 de>]

Hi,

I found the issue. When I created the blacklist and whitelist files I 
copied blacklist to whitelist and forgot to remove the test IP from the 
file whitelist. Sorry.
So my config works find. Just use my initial mail as guidline instead of 
question :).

cheers
Timo



Am 06.11.2015 um 15:04 schrieb Evgeniy Sudyr:
> If I understood you correctly then you need check
>
> config policy_mode:tap
>
> More details there: http://manual.snort.org/node11.html
>
>
>
> On Fri, Nov 6, 2015 at 1:55 PM, Timo <snort () iu1 de
> <mailto:snort () iu1 de>> wrote:
>
>     Hi,
>
>     this is my first post. Hope I do correct.
>
>     I have a problem with preprocessor reputation. I set everything up, but
>     no alerts about blocked IPs. Other alerts show up fine.
>
>     # Reputation preprocessor. For more information see README.reputation
>     preprocessor reputation: \
>          memcap 500, \
>          scan_local, \
>          priority whitelist, \
>          nested_ip both, \
>          whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
>          blacklist $BLACK_LIST_PATH/iplists/default.blacklist
>
>     default.blacklist currently contains one IP for testing. (Plain IP
>     xxx.xxx.xxx.xxx.)
>     default.whitelist is empty.
>
>     I use pulledpork for rules. So all rules are in snort.rules.
>     Within snort.rules there are the corresponding rules for preprocessor
>     reputation:
>     alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
>     metadata: rule-type preproc ; classtype:bad-unknown; )
>     alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1;
>     metadata: rule-type preproc ; classtype:bad-unknown; )
>
>     For GUI I use Snorby.
>
>     Logoutput goes to unified2:
>     output unified2: filename snort.u2, limit 128
>
>     I use barnyard to send logs to mysql:
>     output database: log, mysql, user=xxxx password=xxxx dbname=xxxx
>     host=localhost
>
>     Alerts work fine for standard snort rules. Also preprocessor alerts are
>     logged. For example I had a lot of stream5 alerts in the past. I
>     disabled them by using threshold.conf:
>     ...
>     suppress gen_id 129, sig_id 0
>     ...
>     #suppress gen_id 136, sig_id 0
>     ...
>     In order to receive alerts from repuation preprocessor I do NOT suprees
>     id 136. But there are no alerts about IPs within blacklist.
>
>     grep 136 gen-msg.map
>     136 || 1 || reputation: Packet is blacklisted
>     136 || 2 || reputation: Packet is whitelisted
>
>     This is how I run Snort:
>     /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i
>     eth1 -D
>     So it runs in IDS mode.
>
>     What am I doing wrong? I don't want to drop blacklisted IPs. I just want
>     alerts about blacklisted IPs. I want to know, if a host contacts a CNC
>     server or something.
>
>     Any ideas?
>
>     Cheers
>     Timo
>
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the latest
>     Snort news!
>
>
>
>
> --
> --
> With regards,
> Eugene Sudyr

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!