[Snort-users] Reputation preprocessor isn't blocking traffic

Dave Corsello snort-users at ...15598...
Tue Dec 10 11:57:37 EST 2013


Yes, they're enabled.

They were configured, by default, to alert, but I wasn't getting any
alerts.  I changed the rule to drop, but no traffic is dropped.

I created a simple local rule to see if I can get alerts of any kind on
traffic from the same test address that I added to the blacklist: 

    alert tcp XX.XX.XX.XX any -> any any (msg:"testing"; sid:1000002;
rev:1;) 

I'm not getting alerts from this rule.  Very strange.  I must be missing
something.  The only thing different about the test address is that it's
listed in my local DNS, but that shouldn't make a difference...

On 12/9/2013 8:24 PM, Joel Esler (jesler) wrote:
> Do you have the two reputation preprocessors rules enabled in preprocessor.rules?
>
> --
> Joel Esler
> Intelligence Lead
> Open Source Manager
> Vulnerability Research Team
>
> Sent from my iPhone.  
>
>> On Dec 7, 2013, at 22:06, "Dave Corsello" <snort-users at ...15598...> wrote:
>>
>> Hi,
>>
>> I'm running Snort 2.9.5.5 inline.  My reputation preprocessor doesn't
>> seem to be blocking all of the traffic that it's configured to block. 
>> My snort.conf contains:
>>
>> var WHITE_LIST_PATH /etc/snort/rules
>> var BLACK_LIST_PATH /etc/snort/rules
>>
>> preprocessor reputation: \
>>   memcap 500, \
>>   priority whitelist, \
>>   nested_ip inner, \
>>   whitelist $WHITE_LIST_PATH/default.whitelist, \
>>   blacklist $BLACK_LIST_PATH/default.blacklist
>>
>> My default.whitelist file is empty.  My default.blacklist file contains
>> around 2600 entries, most of which come from labs.snort.org via
>> pulledpork, and two of which I added manually.  (I'm just realizing that
>> the two that I added today will probably be lost when pulledpork runs
>> again.  But they are currently still there.)
>>
>> When snort initializes, the following messages are displayed:
>>
>> Dec  7 14:11:40 sensor1 snort[14229]: Reputation config:
>> Dec  7 14:11:40 sensor1 snort[14229]: WARNING:
>> /etc/snort/snort.conf(514) => Keyword priority for whitelist is not
>> applied when white action is unblack.
>> Dec  7 14:11:40 sensor1 snort[14229]:     Processing whitelist file
>> /etc/snort/rules/default.whitelist
>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded: 0,
>> invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.whitelist)
>> Dec  7 14:11:40 sensor1 snort[14229]:     Processing blacklist file
>> /etc/snort/rules/default.blacklist
>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded:
>> 3955, invalid: 0, re-defined: 0 (from file
>> /etc/snort/rules/default.blacklist)
>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total memory usage:
>> 6156928 bytes
>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total entries
>> loaded: 3955, invalid: 0, re-defined: 0
>> Dec  7 14:11:40 sensor1 snort[14229]:     Memcap: 500 (Default) M bytes
>> Dec  7 14:11:40 sensor1 snort[14229]:     Scan local network: DISABLED
>> (Default)
>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation priority:  blacklist
>> Dec  7 14:11:40 sensor1 snort[14229]:     Nested IP: inner (Default)
>> Dec  7 14:11:40 sensor1 snort[14229]:     White action: unblack (Default)
>> Dec  7 14:11:40 sensor1 snort[14229]:     Shared memory is Not supported.
>>
>> When snort is terminated, a non-zero "Number of packets blacklisted" is
>> often included in the statistics.   So, it looks like some traffic is
>> being blacklisted.
>>
>> However, it appears that all traffic from the two addresses that I added
>> to the blacklist is being allowed to pass through.  The first address is
>> an actual source of annoying traffic.  The second is a known good
>> address that I blacklisted for testing.  Any ideas why the traffic is
>> not being blocked?
>>
>> --Dave
>>
>> ------------------------------------------------------------------------------
>> Sponsored by Intel(R) XDK 
>> Develop, test and display web and hybrid apps with a single code base.
>> Download it for free now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list