Re: snort black list issue

[anton van der leun <anton () vanderleun com>]

Hi Hui,

 
Yes, I checked that already.

The client of the test has ip address 192.168.63.1

 
The white-list is very short:

 
##callvoip

91.195.160.0/25

91.195.161.0/25

##microsoft

191.234.4.0/24

##ger schiedam glas:

163.158.245.128

##akama1

95.100.96.0/23

##dell download:

68.232.34.141

##alex:

37.59.121.224

##xenserver download:

95.100.97.40

##freenas:

64.62.136.60

192.168.63.100

##nagios

192.168.63.199

##ISPconfig schiedam:

10.117.0.244

##customer SNORT devices :

192.2.XXX.XXX       <changed for privacy reason>

192.168.XXX.XXX     <changed for privacy reason>

 
 
Van: Hui cao [mailto:huica () cisco com] 
Verzonden: dinsdag 2 augustus 2016 16:43
Aan: anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () 
lists sourceforge net
CC: Alexander van der Leun <alex () triple-t-services nl>
Onderwerp: Re: AW: [Snort-users] snort black list issue

 
Hi Anton,

You have packets that are whitelisted. Have you checked that either IP is not in whitelist?

Do you have this defined in your rule?

drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; )

Best,
Hui.

On 08/02/2016 10:21 AM, anton van der leun wrote:

Reputation Preprocessor Statistics
Total Memory Allocated: 2257540
Number of packets blacklisted: 12
Number of packets whitelisted: 333

 

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!