Reputation Preprocessor Question - Blacklist causing packets to skip other preprocessors and rule engine

[Noah Dietrich <noah_dietrich () 86penny org>]

Hello,

My question is in relation to the reputation processor in Snort when
running in NIDS mode.  I have snort working correctly with the reputation
processor (alerts are generated by the reputation preprocessor when a
packet comes from a blacklisted host), but it seems that if a packet comes
from a host that is blacklisted, the packet is NOT processed by the rule
engine (and possibly the other preprocessors) after generating the
reputation preprocessor alert.

I verified this with a simple configuration (two rules in my local.rules,
with no other rules enabled), one to alert on preprocessor blacklist
alerts, and another one for all ICMP events.

When i ping my snort sensor from a host on the blacklist, I get the alert
generated by the preprocessor, but NOT from my ICMP rule.  When I remove
that host from the blacklist and ping again, I get the alerts from my ICMP
rule.

I also noted that I received echo replies from the snort sensor for each
ICMP request I sent (running in NIDS mode, this makes sense).

It seems that when Snort is running in  NIDS  mode, and it sees a packet
from a blacklisted host, that it should generate the reputation
preprocessor blacklist alert, but that the packet should still be processed
by the other preprocessors and the rule engine (if not by default, at least
with a preprocessor configuration  option).

Thank you,
noah

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!