Snort mailing list archives
snort black list issue
From: anton van der leun <anton () vanderleun com>
Date: Mon, 1 Aug 2016 12:08:01 +0200
Hello snort community I ran into this issue while debugging a certain attack this weekend and noticed the following I don't understand: Conditions : snort blacklist has certain ip address Results: after adding this address and a warm reload of snort : ICMP messages are blocked, however tcp sessions are NOT. Example (ip address is not yet added to black list) root@xen2-zarafa-71-1:~# ping 5.157.87.137 PING 5.157.87.137 (5.157.87.137) 56(84) bytes of data. 64 bytes from 5.157.87.137: icmp_req=1 ttl=54 time=21.7 ms 64 bytes from 5.157.87.137: icmp_req=2 ttl=54 time=11.1 ms ^C root@xen2-zarafa-71-1:~# telnet 5.157.87.137 80 Trying 5.157.87.137... Connected to 5.157.87.137. Escape character is '^]'. ^] telnet> quit Connection closed. root@xen2-zarafa-71-1:~# ##snort blacklist added 5.157.87.137 and snort is reloaded root@xen2-zarafa-71-1:~# ping 5.157.87.137 PING 5.157.87.137 (5.157.87.137) 56(84) bytes of data. ^C --- 5.157.87.137 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4030ms root@xen2-zarafa-71-1:~# telnet 5.157.87.137 80 Trying 5.157.87.137... Connected to 5.157.87.137. Escape character is '^]'. ^] telnet> quit Connection closed. root@xen2-zarafa-71-1:~# The screenshot of my monitoring tool is included to show that the icmp message was indeed blocked However a tcp sessiob to port 80 is still not blocked ! Here some config and version info: [root@snort73 scripts]# /usr/local/bin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.8.3 GRE (Build 383) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.6.2 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7 # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ scan_local, \ priority whitelist, \ nested_ip inner, \ whitelist /etc/snort/rules/white_list.rules, \ blacklist /etc/snort/rules/black_list.rules, \ blacklist /etc/snort/rules/black_list_local.rules, \ white trust In my opninion the reputation processor has absolute priority and all messages should be blocked. I hope somebody can direct me in the right direction. Thanks in advance, Anton van der Leun
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue Hui Cao (huica) (Aug 01)
- Message not available
- Re: snort black list issue Hui cao (Aug 02)
- <Possible follow-ups>
- Re: snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 03)
- FW: snort black list issue anton van der leun (Aug 04)
- Re: snort black list issue anton van der leun (Aug 08)
- Re: snort black list issue Hui cao (Aug 02)