[Snort-users] Reputation preprocessor isn't blocking traffic

Joel Esler (jesler) jesler at ...589...
Mon Dec 9 20:24:38 EST 2013


Do you have the two reputation preprocessors rules enabled in preprocessor.rules?

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team

Sent from my iPhone.  

> On Dec 7, 2013, at 22:06, "Dave Corsello" <snort-users at ...15598...> wrote:
> 
> Hi,
> 
> I'm running Snort 2.9.5.5 inline.  My reputation preprocessor doesn't
> seem to be blocking all of the traffic that it's configured to block. 
> My snort.conf contains:
> 
> var WHITE_LIST_PATH /etc/snort/rules
> var BLACK_LIST_PATH /etc/snort/rules
> 
> preprocessor reputation: \
>   memcap 500, \
>   priority whitelist, \
>   nested_ip inner, \
>   whitelist $WHITE_LIST_PATH/default.whitelist, \
>   blacklist $BLACK_LIST_PATH/default.blacklist
> 
> My default.whitelist file is empty.  My default.blacklist file contains
> around 2600 entries, most of which come from labs.snort.org via
> pulledpork, and two of which I added manually.  (I'm just realizing that
> the two that I added today will probably be lost when pulledpork runs
> again.  But they are currently still there.)
> 
> When snort initializes, the following messages are displayed:
> 
> Dec  7 14:11:40 sensor1 snort[14229]: Reputation config:
> Dec  7 14:11:40 sensor1 snort[14229]: WARNING:
> /etc/snort/snort.conf(514) => Keyword priority for whitelist is not
> applied when white action is unblack.
> Dec  7 14:11:40 sensor1 snort[14229]:     Processing whitelist file
> /etc/snort/rules/default.whitelist
> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded: 0,
> invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.whitelist)
> Dec  7 14:11:40 sensor1 snort[14229]:     Processing blacklist file
> /etc/snort/rules/default.blacklist
> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded:
> 3955, invalid: 0, re-defined: 0 (from file
> /etc/snort/rules/default.blacklist)
> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total memory usage:
> 6156928 bytes
> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total entries
> loaded: 3955, invalid: 0, re-defined: 0
> Dec  7 14:11:40 sensor1 snort[14229]:     Memcap: 500 (Default) M bytes
> Dec  7 14:11:40 sensor1 snort[14229]:     Scan local network: DISABLED
> (Default)
> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation priority:  blacklist
> Dec  7 14:11:40 sensor1 snort[14229]:     Nested IP: inner (Default)
> Dec  7 14:11:40 sensor1 snort[14229]:     White action: unblack (Default)
> Dec  7 14:11:40 sensor1 snort[14229]:     Shared memory is Not supported.
> 
> When snort is terminated, a non-zero "Number of packets blacklisted" is
> often included in the statistics.   So, it looks like some traffic is
> being blacklisted.
> 
> However, it appears that all traffic from the two addresses that I added
> to the blacklist is being allowed to pass through.  The first address is
> an actual source of annoying traffic.  The second is a known good
> address that I blacklisted for testing.  Any ideas why the traffic is
> not being blocked?
> 
> --Dave
> 
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK 
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list