Snort mailing list archives
Re: Snort preproscesor reputation No effect
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sat, 6 May 2017 10:55:40 +0200
On Sat, May 6, 2017 at 9:04 AM, ééĺšć <85358830 () qq com> wrote:
HI, I'm running Snort2.9.8.3 on Debian 8.2 virtual machine get problem. I follow this tutorial : https://sublimerobots.com/2015/12/the-snort-reputation-preprocessor/ but my DAQ is NFQ.The following line is my start snort command: root@localhost:~/pack/snort-2.9.8.3/src# ./snort -Q --process-all-events --daq nfq --daq-var device=eth0 --daq-var queue=1 -c ../etc/snort.conf My iptables configuration commands is: iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 iptables -I INPUT -j NFQUEUE --queue-num 1 My reputation configuration is : # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ scan_local, \ # priority whitelist, \ white unblack, \ nested_ip inner, \ whitelist /root/pack/snort-2.9.8.3/rules/white_list.rules, \ blacklist /root/pack/snort-2.9.8.3/rules/black_list.rules My local.rules include : drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) My black_list.rules include : 192.168.59.128/24 My runing snort host IP is 192.168.59.188,It looks work well follow line is output: Enabling inline operation Running in IDS mode ........ .... Reputation config: Processing whitelist file /root/pack/snort-2.9.8.3/ rules/white_list.rules Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /root/pack/snort-2.9.8.3/rules/white_list.rules) Processing blacklist file /root/pack/snort-2.9.8.3/ rules/black_list.rules (9) => Re-defined address: '192.168.59.158/24' Reputation entries loaded: 1, invalid: 0, re-defined: 1 (from file /root/pack/snort-2.9.8.3/rules/black_list.rules) Reputation total memory usage: 329512 bytes Reputation total entries loaded: 1, invalid: 0, re-defined: 1 Memcap: 500 (Default) M bytes Scan local network: ENABLED Reputation priority: whitelist(Default) Nested IP: inner (Default) White action: unblack (Default) Shared memory is Not supported. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 0 detection rules 0 decoder rules 1 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ ........... ..... while I use virtual machine IP is 192.168.59.128 PING my snort host(192.168.59.188). I get alert log : [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] 05/06-13:08:46.043200 192.168.59.128 -> 192.168.59.188 ICMP TTL:64 TOS:0x0 ID:54848 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:20449 Seq:376 ECHO [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] 05/06-13:08:47.054471 192.168.59.128 -> 192.168.59.188 ICMP TTL:64 TOS:0x0 ID:54902 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:20449 Seq:377 ECHO [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] 05/06-13:08:48.054271 192.168.59.128 -> 192.168.59.188 ICMP TTL:64 TOS:0x0 ID:55019 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:20449 Seq:378 ECHO and host 192.168.59.128 get info: root@localhost:~# ping 192.168.59.188 PING 192.168.59.188 (192.168.59.188) 56(84) bytes of data. ^C --- 192.168.59.188 ping statistics --- 378 packets transmitted, 0 received, 100% packet loss, time 377243ms It looks worked well . rule drop looks Have effect. but I at snort host (192.168.59.188) start software netcat as server use The following line: root@localhost:~# nc -l -p 61324 At host 192.168.59.128 start software netcat as client use The following line: root@localhost:~# nc 192.168.59.188 61234 It can connect successfully and 192.168.59.128 use SSH can connect succesfully. So it looks the blacklist No effect.
Could it be this problem: http://seclists.org/snort/2016/q3/355 Marcin
I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this. I'm sorry my English is not good.sorry I am a novice. I'do not know if the problem can not be read. sorry. Can someone give me some help? Can the Chinese give me some help?in Chinese. I am a lonely self scholar, if you can give me a little help in Chinese, Thanks in advance. ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort preproscesor reputation No effect ???????? (May 06)
- Re: Snort preproscesor reputation No effect Marcin Dulak (May 06)