Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort preproscesor reputation No effect

From: "????????" <85358830 () qq com>
Date: Sat, 6 May 2017 15:04:30 +0800
HI,

 

I'm running Snort2.9.8.3 on  Debian 8.2 virtual machine get problem.

I follow this tutorial :

https://sublimerobots.com/2015/12/the-snort-reputation-preprocessor/

 

but my DAQ is NFQ.The following line is my start snort command:

root@localhost:~/pack/snort-2.9.8.3/src# ./snort -Q --process-all-events --daq nfq --daq-var device=eth0 --daq-var 
queue=1 -c ../etc/snort.conf

 

My iptables configuration commands is:

 

iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1

iptables -I FORWARD -j NFQUEUE --queue-num 1

iptables -I INPUT -j NFQUEUE --queue-num 1

 

My reputation configuration is :

# Reputation preprocessor. For more information see README.reputation

preprocessor reputation: \

   memcap 500, \

   scan_local, \

#   priority whitelist, \

   white unblack, \

   nested_ip inner, \

   whitelist /root/pack/snort-2.9.8.3/rules/white_list.rules, \

   blacklist /root/pack/snort-2.9.8.3/rules/black_list.rules

 

My local.rules include :

drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; 
classtype:bad-unknown; )

 

My black_list.rules include :

192.168.59.128/24

 

My runing snort host IP is 192.168.59.188,It looks work well follow line is output:

Enabling inline operation

Running in IDS mode

 

........

....

Reputation config: 

    Processing whitelist file /root/pack/snort-2.9.8.3/rules/white_list.rules

    Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /root/pack/snort-2.9.8.3/rules/white_list.rules)

    Processing blacklist file /root/pack/snort-2.9.8.3/rules/black_list.rules

      (9) => Re-defined address: '192.168.59.158/24'

    Reputation entries loaded: 1, invalid: 0, re-defined: 1 (from file /root/pack/snort-2.9.8.3/rules/black_list.rules)

    Reputation total memory usage: 329512 bytes

    Reputation total entries loaded: 1, invalid: 0, re-defined: 1

    Memcap: 500 (Default) M bytes 

    Scan local network: ENABLED

    Reputation priority:  whitelist(Default) 

    Nested IP: inner (Default) 

    White action: unblack (Default) 

    Shared memory is Not supported.

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

1 Snort rules read

    0 detection rules

    0 decoder rules

    1 preprocessor rules

1 Option Chains linked into 1 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

...........

.....

 

while I use virtual machine IP is 192.168.59.128 PING my snort host(192.168.59.188). I get alert log :

 

 

[**] [136:1:1] (spp_reputation) packets blacklisted [**]

[Classification: Potentially Bad Traffic] [Priority: 2] 

05/06-13:08:46.043200 192.168.59.128 -> 192.168.59.188

ICMP TTL:64 TOS:0x0 ID:54848 IpLen:20 DgmLen:84 DF

Type:8  Code:0  ID:20449   Seq:376  ECHO

 

[**] [136:1:1] (spp_reputation) packets blacklisted [**]

[Classification: Potentially Bad Traffic] [Priority: 2] 

05/06-13:08:47.054471 192.168.59.128 -> 192.168.59.188

ICMP TTL:64 TOS:0x0 ID:54902 IpLen:20 DgmLen:84 DF

Type:8  Code:0  ID:20449   Seq:377  ECHO

 

[**] [136:1:1] (spp_reputation) packets blacklisted [**]

[Classification: Potentially Bad Traffic] [Priority: 2] 

05/06-13:08:48.054271 192.168.59.128 -> 192.168.59.188

ICMP TTL:64 TOS:0x0 ID:55019 IpLen:20 DgmLen:84 DF

Type:8  Code:0  ID:20449   Seq:378  ECHO

 

and host 192.168.59.128 get info:

root@localhost:~# ping 192.168.59.188

PING 192.168.59.188 (192.168.59.188) 56(84) bytes of data.

^C

--- 192.168.59.188 ping statistics ---

378 packets transmitted, 0 received, 100% packet loss, time 377243ms

 

It looks worked well . rule drop looks Have effect.

but I at snort host (192.168.59.188) start software netcat  as server use  The following line:

root@localhost:~# nc -l -p 61324

 

At host 192.168.59.128 start software netcat as client use The following line:

root@localhost:~# nc 192.168.59.188 61234

 

It can connect successfully and 192.168.59.128 use SSH can connect succesfully.

 

So it looks the blacklist  No effect.

 

I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.

I'm sorry my English is not good.sorry I am a novice.

I'do not know if the problem can not be read.

sorry.

 

Can someone give me some help?

Can the Chinese give me some help?in Chinese.

I am a lonely self scholar, if you can give me a little help in Chinese, Thanks in advance.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: