Snort mailing list archives
Re: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0
From: Victor Roemer <viroemer () cisco com>
Date: Thu, 11 May 2017 09:38:18 -0400
On 5/10/17 10:44 PM, ???????? wrote:
Thx hui.
Thank you for taking the time to answer my questions.
Now My snort reputation looks work well.
I add IP(192.168.59.228) to file /usr/reputation/iplists/black_list.blf,Then start snort_control use follwing command:
./snort_control /usr/reputation/ 1361
snort_control output :
Response 0009 with code 0 and length 45
52 65 70 75 74 61 74 69 6F 6E 20 50 72 65 70 72 Reputati on Prepr
6F 63 65 73 73 6F 72 3A 20 4E 6F 20 73 65 67 6D ocessor: No segm
65 6E 74 73 20 72 65 63 65 69 76 65 64 ents rec eived
Response 0000 without data
But snort master does not respond, and snort not be blaked the IP 192.168.59.128.
I noticed snort output(Previous output not now):
.........
.....
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1179648
Processing blacklist file /usr/reputation/iplists/black_list.blf
Reputation entries loaded: 3, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
Processing whitelist file /usr/reputation/iplists/white_list.wlf
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
Reputation total memory usage: 329820 bytes
Reputation total entries loaded: 3, invalid: 0, re-defined: 0
Reputation Preprocessor: Received segment 0
Reputation Preprocessor: Instance 0 switched to segment_version 0
But my blacklist file now has 4 IPs. (192.168.59.228 is new IP)It looks blacklist not reload.
My question is :
1.What should I do for geting load black list?
2.what is "1361" mean? How should I know what it means? I search snort source,but I can't undstand it.following line
is output:
root@localhost:~/code/snort# find.sh 1361
################## FIND BEGIN ##################
./src/dynamic-plugins/sf_engine/sfprimetable.c:210: 1361, /* 1361 */
./src/dynamic-plugins/sf_engine/sfprimetable.c:1558: 31357, /* 31361 */
./src/dynamic-plugins/sf_engine/sfprimetable.c:2228: 136189, /* 136192 */
./src/target-based/sf_attribute_table_parser.c:1693: 1359, 0, 1360, 0, 1361, 0, 1362, 0, 1363, 0,
./src/target-based/sf_attribute_table_parser.c:3452: 11358,11358,11359,11359,11360,11360,11361,11361,11362,11362,
./src/target-based/sf_attribute_table_parser.c:4283: 1353, 1355, 1357, 1359, 1361, 1363, 1365, 1367, 1369, 1371,
./src/target-based/sf_attribute_table_parser.c:5275: 1351, 1353, 1355, 1357, 1359, 1361, 1363, 1365, 1367, 1369,
./src/target-based/sf_attribute_table_parser.c:5976: 11358,11359,11360,11361,11362,11363,11364,11365,11366,11367,
./src/dynamic-preprocessors/include/sfprimetable.c:210: 1361, /* 1361 */
./src/dynamic-preprocessors/include/sfprimetable.c:1558: 31357, /* 31361 */
./src/dynamic-preprocessors/include/sfprimetable.c:2228: 136189, /* 136192 */
./src/sfutil/sfprimetable.c:210: 1361, /* 1361 */
./src/sfutil/sfprimetable.c:1558: 31357, /* 31361 */
./src/sfutil/sfprimetable.c:2228: 136189, /* 136192 */
################## FIND END ##################
|136| is the reputation preprocessors generator id + |1| is the command. Check |src/dynamic-preprocessors/reputation/spp_reputation.h|, you??ll see the following |#define GENERATOR_SPP_REPUTATION 136 #define CS_TYPE_REPUTATION_SHAREMEM ((GENERATOR_SPP_REPUTATION *10) + 1) #define CS_TYPE_REPUTATION_SHAREMEM_LOOKUP ((GENERATOR_SPP_REPUTATION *10) + 2) #define CS_TYPE_REPUTATION_SHAREMEM_MGMT_INFO ((GENERATOR_SPP_REPUTATION *10) + 3) |
Thanks.
minggang su
------------------ ???????? ------------------
??????: "Hui Cao (huica)";<huica () cisco com>;
????????: 2017??5??10??(??????) ????9:12
??????: "????????"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
????: Re: ?????? [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries always 0
My question is :
1. What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
Yes. You can set it to a higher number since it is configurable. Configure option is ??shared_max_instances??. I
think the default is 50.
2. How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort
output.
You have the output like this, it is a reader:
Mapped shared management region of size 128 as a reader.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
From: ???????? <85358830 () qq com>
Date: Wednesday, May 10, 2017 at 12:54 AM
To: "Hui Cao (huica)" <huica () cisco com>, Snort-users <snort-users () lists sourceforge net>
Subject: ?????? [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries always 0
Thx hui.
I use the command as you give me:
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
The following is the output of the Master snort:
.......
...
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
..........
......
Reload thread starting...
Reload thread started, thread 0xa44f1b40 (26006)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a writer.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
Processing blacklist file /usr/reputation/iplists/black_list.blf
Reputation entries loaded: 2, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
Processing whitelist file /usr/reputation/iplists/white_list.wlf
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
Reputation total memory usage: 329712 bytes
Reputation total entries loaded: 2, invalid: 0, re-defined: 0
........
.....
Master snort looks work well.Next step ,I start a new snort instance as client .It looks not load share memory black
list info,following line is my command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9
It output:
.......
.....
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
........
......
Reload thread starting...
Reload thread started, thread 0xa44a1b40 (26334)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
..........
....
My question is :
1.What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
2.How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output.
------------------ ???????? ------------------
??????: "Hui Cao (huica)";<huica () cisco com>;
????????: 2017??5??9??(??????) ????11:53
??????: "????????"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
????: Re: [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries always 0
You should use command :
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
Only instance 0 will be a shared memory writer.
Best,
Hui.
On 5/9/17, 11:46 AM, "????????" <85358830 () qq com> wrote:
sorry,Message attachments are not supported.
Here is my snort.conf:
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
scan_local, \
# priority whitelist, \
white unblack, \
nested_ip both, \
# whitelist /usr/reputation/iplists/white_list.wlf, \
# blacklist /usr/reputation/iplists/black_list.blf, \
shared_mem /usr/reputation/iplists, \
shared_refresh 60
Here is my black_list.blf:
192.168.59.158/32
192.168.59.128/32
------------------ ???????? ------------------
??????: "85358830";<85358830 () qq com>;
????????: 2017??5??9??(??????) ????11:28
??????: "Snort-users"<snort-users () lists sourceforge net>;
????: [Snort-users] snort preprocessor reputation Shared memory loadentries always 0
Good day to all! I'm using Snort 2.9.8.3 on a Debian 8.2 virtual machine.To test reputation share memory and
control-socket.I'm follow Snort manual 2.2.20 shared memory support.step by step.but it looks not work well.
My config file and whait/black list file in mail attachemnts.
The following line is my start snort command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf
The following is the output of the snort:
.......
...
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
0 detection rules
0 decoder rules
1 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
..........
.....
nfq DAQ configured to inline.
Reload thread starting...
Reload thread started, thread 0xa443db40 (25579)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
........
.....
It appears that the blacklist is not load into shared memory.why?
who can tell me why?
I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
I'm sorry my English is not good.sorry I am a novice.
sorry.
Can someone give me some help?
Can the Chinese give me some help?in Chinese.
I am a lonely self learner, if you can give me a little help , Thank you very much.
Best regards to all!------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
?6?7 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ?????? ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0 ???????? (May 10)
- Re: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Victor Roemer (May 11)
- Re: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Hui cao (May 11)