Re: snort black list issue

[anton van der leun <anton () vanderleun com>]

Hi Hui,



some more testing:

Aug  2 17:33:04 snort73 snort[2834]: ===============================================================================
Aug  2 17:33:04 snort73 snort[2834]: Reputation Preprocessor Statistics
Aug  2 17:33:04 snort73 snort[2834]: Total Memory Allocated: 2257540
Aug  2 17:33:04 snort73 snort[2834]: Number of packets blacklisted: 9
Aug  2 17:33:04 snort73 snort[2834]: Number of packets whitelisted: 7698
Aug  2 17:33:04 snort73 snort[2834]: =========================================================================

telenet <ip blacklisted> 80  (succeeds)

Aug  2 17:33:51 snort73 snort[2834]: ===============================================================================
Aug  2 17:33:51 snort73 snort[2834]: Reputation Preprocessor Statistics
Aug  2 17:33:51 snort73 snort[2834]: Total Memory Allocated: 2257540
Aug  2 17:33:51 snort73 snort[2834]: Number of packets blacklisted: 10
Aug  2 17:33:51 snort73 snort[2834]: Number of packets whitelisted: 7926
Aug  2 17:33:51 snort73 snort[2834]: ===============================================================================

with browser to same ip address   (succeeds)

Aug  2 17:35:22 snort73 snort[2834]: ===============================================================================
Aug  2 17:35:22 snort73 snort[2834]: Reputation Preprocessor Statistics
Aug  2 17:35:22 snort73 snort[2834]: Total Memory Allocated: 2257540
Aug  2 17:35:22 snort73 snort[2834]: Number of packets blacklisted: 22
Aug  2 17:35:22 snort73 snort[2834]: Number of packets whitelisted: 8217
Aug  2 17:35:22 snort73 snort[2834]: ===============================================================================

So apparantly there are some packes dropped, but not all...
I can remember that when I was investigation this issue last weekend I saw a lot of retransmits.
I will make a wireshark trace via a monitor port to see what is going on here and will report the outcome to you later.

In my opinion I believed that the reputation processor looks first to every packet and if it was on the blacklist it 
will be dropped without any further processing, but I think I am wrong on this ?

thanks again,
anton





-----Oorspronkelijk bericht-----
Afzender: Hui cao <huica () cisco com>
Verstuurd: Dinsdag 2 Augustus 2016 16:42
Aan: anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () 
lists sourceforge net
Cc: Alexander van der Leun <alex () triple-t-services nl>
Onderwerp: Re: AW: [Snort-users] snort black list issue

 
 

Hi Anton,

 You have packets that are whitelisted. Have you checked that either IP is not in whitelist?
 
 Do you have this defined in your rule?
 
 drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; )
 
 Best,
 Hui.
 
On 08/02/2016 10:21 AM, anton van der leun wrote:
 
 Reputation Preprocessor Statistics
 Total Memory Allocated: 2257540
 Number of packets blacklisted: 12
 Number of packets whitelisted: 333 
 

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!