[Snort-users] Reputation Preprocessor

Hui Cao hcao at ...1935...
Mon Dec 12 15:05:19 EST 2011


Hi Shlomi,

If you want to enable/log events, you need to enable the reputation
preprocessor alerts.

The following line might help you:

alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; )
alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; )

See README.reputation for how to use reputation preprocessor.

Best,

Hui.

On Wed, Dec 7, 2011 at 6:29 PM, Joel Esler <jesler at ...1935...> wrote:
> In its present release (updates will be coming!) it's most used for inline mode. Blacklist blocks ips, whitelist doesn't inspect the traffic at all and allows it to pass.
>
> --
> Joel Esler
>
> On Dec 7, 2011, at 5:56 PM, Shlomi Musseri <musseri10 at ...11827...> wrote:
>
>>
>> Hi Guys,
>>
>> We work with snort in port mirroring mode. We have a lot of packet drop because we using  a lot of IP blacklist rules.
>> In the new version of snort 2.9.2.1 we try to use the Reputation Preprocessor that will help us to runs IP  Reputation before other preprocessors.
>> The preprocessor doesn't write any logs.
>> Why we don't see any output from the Reputation Preprocessor?? Can it run port mirroring mode ??
>>
>> Thanks,
>>
>> Shlomi
>>
>> ------------------------------------------------------------------------------
>> Cloud Services Checklist: Pricing and Packaging Optimization
>> This white paper is intended to serve as a reference, checklist and point of
>> discussion for anyone considering optimizing the pricing and packaging model
>> of a cloud services business. Read Now!
>> http://www.accelacomm.com/jaw/sfnl/114/51491232/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Cloud Services Checklist: Pricing and Packaging Optimization
> This white paper is intended to serve as a reference, checklist and point of
> discussion for anyone considering optimizing the pricing and packaging model
> of a cloud services business. Read Now!
> http://www.accelacomm.com/jaw/sfnl/114/51491232/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list