Re: snort black list issue

["Hui Cao (huica)" <huica () cisco com>]

Have you enabled session preprocessor?

Reputation preprocessor has been moved after session preprocessor. It is called once per session.

Best,
Hui.

From: anton van der leun <anton () vanderleun com<mailto:anton () vanderleun com>>
Date: Monday, August 1, 2016 at 6:08 AM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Cc: "anton () triple-t-services nl<mailto:anton () triple-t-services nl>" <anton () triple-t-services nl<mailto:anton 
() triple-t-services nl>>, "alex () triple-t-services nl<mailto:alex () triple-t-services nl>" <alex () 
triple-t-services nl<mailto:alex () triple-t-services nl>>
Subject: [Snort-users] snort black list issue

Hello snort community

I ran into this issue while debugging a certain attack this weekend and noticed the following I don't understand:

Conditions : snort blacklist has certain ip address
Results:  after adding this address and a warm reload of snort : ICMP messages are blocked, however tcp sessions are 
NOT.

Example (ip address is not yet added to black list)

root@xen2-zarafa-71-1:~# ping 5.157.87.137
PING 5.157.87.137 (5.157.87.137) 56(84) bytes of data.
64 bytes from 5.157.87.137: icmp_req=1 ttl=54 time=21.7 ms
64 bytes from 5.157.87.137: icmp_req=2 ttl=54 time=11.1 ms
^C

root@xen2-zarafa-71-1:~# telnet 5.157.87.137 80
Trying 5.157.87.137...
Connected to 5.157.87.137.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

root@xen2-zarafa-71-1:~# ##snort blacklist added 5.157.87.137   and snort is reloaded
root@xen2-zarafa-71-1:~# ping 5.157.87.137
PING 5.157.87.137 (5.157.87.137) 56(84) bytes of data.
^C
--- 5.157.87.137 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms


root@xen2-zarafa-71-1:~# telnet 5.157.87.137 80
Trying 5.157.87.137...
Connected to 5.157.87.137.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@xen2-zarafa-71-1:~#

The screenshot of my monitoring tool is included to show that the icmp message was indeed blocked
However a tcp sessiob to port 80 is still not blocked !

Here some config and version info:

[root@snort73 scripts]# /usr/local/bin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.3 GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.6.2
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7


# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   scan_local, \
   priority whitelist, \
   nested_ip inner, \
   whitelist /etc/snort/rules/white_list.rules, \
   blacklist /etc/snort/rules/black_list.rules, \
   blacklist /etc/snort/rules/black_list_local.rules, \
   white trust


In my opninion the reputation processor has absolute priority and all messages should be blocked.
I hope somebody can direct me in the right direction.

Thanks in advance,
Anton van der Leun

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!