Snort mailing list archives
Re: snort black list issue
From: Hui cao <huica () cisco com>
Date: Tue, 2 Aug 2016 12:24:26 -0400
Reputation preprocessor is called after session preprocessor. You can capture traffic for that session and look at what happened with that session. There are lots of other traffic.
If the DAQ you used support BLACKLIST verdict, DAQ will block the whole session, so snort will not received those packets. If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will be blocked by snort session preprocessor, not reputation.
Best, Hui. On 08/02/2016 11:26 AM, anton van der leun wrote:
AW: [Snort-users] snort black list issue Hi Hui, some more testing:Aug 2 17:33:04 snort73 snort[2834]: ===============================================================================Aug 2 17:33:04 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:33:04 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:33:04 snort73 snort[2834]: Number of packets blacklisted: 9 Aug 2 17:33:04 snort73 snort[2834]: Number of packets whitelisted: 7698Aug 2 17:33:04 snort73 snort[2834]: =========================================================================telenet <ip blacklisted> 80 (succeeds)Aug 2 17:33:51 snort73 snort[2834]: ===============================================================================Aug 2 17:33:51 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:33:51 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:33:51 snort73 snort[2834]: Number of packets blacklisted: 10 Aug 2 17:33:51 snort73 snort[2834]: Number of packets whitelisted: 7926Aug 2 17:33:51 snort73 snort[2834]: ===============================================================================with browser to same ip address (succeeds)Aug 2 17:35:22 snort73 snort[2834]: ===============================================================================Aug 2 17:35:22 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:35:22 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:35:22 snort73 snort[2834]: Number of packets blacklisted: 22 Aug 2 17:35:22 snort73 snort[2834]: Number of packets whitelisted: 8217Aug 2 17:35:22 snort73 snort[2834]: ===============================================================================So apparantly there are some packes dropped, but not all...I can remember that when I was investigation this issue last weekend I saw a lot of retransmits. I will make a wireshark trace via a monitor port to see what is going on here and will report the outcome to you later.In my opinion I believed that the reputation processor looks first to every packet and if it was on the blacklist it will be dropped without any further processing, but I think I am wrong on this ?thanks again, anton -----Oorspronkelijk bericht----- *Afzender:* Hui cao <huica () cisco com> *Verstuurd:* Dinsdag 2 Augustus 2016 16:42 *Aan:* anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () lists sourceforge net *Cc:* Alexander van der Leun <alex () triple-t-services nl> *Onderwerp:* Re: AW: [Snort-users] snort black list issue Hi Anton, You have packets that are whitelisted. Have you checked that either IP is not in whitelist? Do you have this defined in your rule? drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; ) Best, Hui. On 08/02/2016 10:21 AM, anton van der leun wrote:Reputation Preprocessor Statistics Total Memory Allocated: 2257540 Number of packets blacklisted: 12 Number of packets whitelisted: 333
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue Hui Cao (huica) (Aug 01)
- Message not available
- Re: snort black list issue Hui cao (Aug 02)
- <Possible follow-ups>
- Re: snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 03)
- FW: snort black list issue anton van der leun (Aug 04)
- Re: snort black list issue anton van der leun (Aug 08)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)