[Snort-users] Reputation preprocessor isn't blocking traffic

Dave Corsello snort-users at ...15598...
Fri Dec 13 12:03:02 EST 2013


This is kind of tangential, but without any intervention other than
scheduled restarts of Snort, the local rule started generating alerts.

As I mentioned before, when Snort terminates, it reports that packets
are blacklisted.  But I'm not seeing any alerts in Base.  Any other
thoughts or suggestions, Joel?

On 12/10/2013 11:57 AM, Dave Corsello wrote:
> Yes, they're enabled.
>
> They were configured, by default, to alert, but I wasn't getting any
> alerts.  I changed the rule to drop, but no traffic is dropped.
>
> I created a simple local rule to see if I can get alerts of any kind on
> traffic from the same test address that I added to the blacklist: 
>
>     alert tcp XX.XX.XX.XX any -> any any (msg:"testing"; sid:1000002;
> rev:1;) 
>
> I'm not getting alerts from this rule.  Very strange.  I must be missing
> something.  The only thing different about the test address is that it's
> listed in my local DNS, but that shouldn't make a difference...
>
> On 12/9/2013 8:24 PM, Joel Esler (jesler) wrote:
>> Do you have the two reputation preprocessors rules enabled in preprocessor.rules?
>>
>> --
>> Joel Esler
>> Intelligence Lead
>> Open Source Manager
>> Vulnerability Research Team
>>
>> Sent from my iPhone.  
>>
>>> On Dec 7, 2013, at 22:06, "Dave Corsello" <snort-users at ...15598...> wrote:
>>>
>>> Hi,
>>>
>>> I'm running Snort 2.9.5.5 inline.  My reputation preprocessor doesn't
>>> seem to be blocking all of the traffic that it's configured to block. 
>>> My snort.conf contains:
>>>
>>> var WHITE_LIST_PATH /etc/snort/rules
>>> var BLACK_LIST_PATH /etc/snort/rules
>>>
>>> preprocessor reputation: \
>>>   memcap 500, \
>>>   priority whitelist, \
>>>   nested_ip inner, \
>>>   whitelist $WHITE_LIST_PATH/default.whitelist, \
>>>   blacklist $BLACK_LIST_PATH/default.blacklist
>>>
>>> My default.whitelist file is empty.  My default.blacklist file contains
>>> around 2600 entries, most of which come from labs.snort.org via
>>> pulledpork, and two of which I added manually.  (I'm just realizing that
>>> the two that I added today will probably be lost when pulledpork runs
>>> again.  But they are currently still there.)
>>>
>>> When snort initializes, the following messages are displayed:
>>>
>>> Dec  7 14:11:40 sensor1 snort[14229]: Reputation config:
>>> Dec  7 14:11:40 sensor1 snort[14229]: WARNING:
>>> /etc/snort/snort.conf(514) => Keyword priority for whitelist is not
>>> applied when white action is unblack.
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Processing whitelist file
>>> /etc/snort/rules/default.whitelist
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded: 0,
>>> invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.whitelist)
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Processing blacklist file
>>> /etc/snort/rules/default.blacklist
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded:
>>> 3955, invalid: 0, re-defined: 0 (from file
>>> /etc/snort/rules/default.blacklist)
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total memory usage:
>>> 6156928 bytes
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total entries
>>> loaded: 3955, invalid: 0, re-defined: 0
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Memcap: 500 (Default) M bytes
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Scan local network: DISABLED
>>> (Default)
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Reputation priority:  blacklist
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Nested IP: inner (Default)
>>> Dec  7 14:11:40 sensor1 snort[14229]:     White action: unblack (Default)
>>> Dec  7 14:11:40 sensor1 snort[14229]:     Shared memory is Not supported.
>>>
>>> When snort is terminated, a non-zero "Number of packets blacklisted" is
>>> often included in the statistics.   So, it looks like some traffic is
>>> being blacklisted.
>>>
>>> However, it appears that all traffic from the two addresses that I added
>>> to the blacklist is being allowed to pass through.  The first address is
>>> an actual source of annoying traffic.  The second is a known good
>>> address that I blacklisted for testing.  Any ideas why the traffic is
>>> not being blocked?
>>>
>>> --Dave
>>>
>>> ------------------------------------------------------------------------------
>>> Sponsored by Intel(R) XDK 
>>> Develop, test and display web and hybrid apps with a single code base.
>>> Download it for free now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT 
> organizations don't have a clear picture of how application performance 
> affects their revenue. With AppDynamics, you get 100% visibility into your 
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list