[Snort-users] Is the reputation preprocessor still experimental?

Russ Combs rcombs at ...1935...
Wed Jun 20 12:50:59 EDT 2012


Glad to hear the reputation preprocessor is working for you.  The active
response rule options are intended to be used within regular detection
rules that provide session context.  That way you can ensure that your web
page is being sent in response to an HTTP request and that it is only sent
once per session.  Those key aspects are lost when you try to use the
reputation preprocessor rule.  Is there a reason you aren't still using
your detection rule?

On Fri, Jun 15, 2012 at 8:53 AM, Guillaume Daleux <
guillaume.daleux at ...13827...> wrote:

> Hello,
>
> For information, we use it for two months in a preproduction environment
> and it works very well. We have only one problem with the react keyword
> which works in detection rules but not with reputation rule.
>
> preprocessor reputation: blacklist ip_reputation, scan_local
> config react: /usr/local/IDS/snort/snortIPS1/conf/block.html
>
> with rule :
>
> drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
> react; )
>
> Thanks you
>
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, June 14, 2012 5:39 PM
> To: Miguel Alvarez
> Cc: Snort Users
> Subject: Re: [Snort-users] Is the reputation preprocessor still
> experimental?
>
> On Jun 12, 2012, at 2:09 PM, Miguel Alvarez <miguellvrz9 at ...11827...>
> wrote:
>
> > Hello,
> >
> > I was just looking at the README.reputation and it says that it is
> > experimental and not to be used in production environments.  Is that
> > still the case?
> It's still experimental, and there are more improvements to it in the
> next version of Snort, however, we need as many people to test it as
> possible.
>
> Thanks.
>
> Joel
>
>
>
> ------------------------------------------------------------------------
> ------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
> Discussions
> will include endpoint security, mobile security and the latest in
> malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120620/5ec1e9fc/attachment.html>


More information about the Snort-users mailing list