[Snort-users] reputation preprocessor and IDS
rcombs at ...1935...
Tue Jun 4 16:17:12 EDT 2013
On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 6/4/2013 15:36, JJC wrote:
> > Yes, the IP Rep preprocessor works in passive mode just like it does in
> > mode, other than drop of course.
> correct on the drop method... we don't even use it :)
> i'll have to dig and see if there is/was a bug that was fixed from 184.108.40.206
> the latest snort versions... i whitelisted a CIDR block and they still
> alerts... specifically, we saw alerts on 129:20 when snort was reloading
> setting the CIDR block in the whitelist file and bouncing snort with a
> exit and startup... we've also seen 128:4 when sshing into that sensor on a
> non-standard port but we DO have that non-standard port listed in the ssh
> section of snort.conf... these alerts happen for only a short time and then
> snort seems to settle down and stop issuing them even though those same
> connections are still active or being terminated and restarted again...
Do you have stream5_tcp: require_3whs set? That might help reach steady
> i've just tested again an hour after the above alerts were logged and am
> the same alerts as noted above... the traffic is very light compared to
> many systems see... it is only a 100M internal LAN... there /may/ be some
> swapping going on on that test sensor... i'm seeing 7M of swap space
> used but i really don't think that that is getting in the way here...
Do you have reputation: white trust set? Default is to unblack (not trust).
Also, you may need to set reputation: scan_local if the alerts are on local
> > On Tue, Jun 4, 2013 at 1:27 PM, waldo kitty <wkitty42 at ...14940...
> > <mailto:wkitty42 at ...14940...>> wrote:
> > does the reputation preprocessor work in IDS (non-inline) mode?
> > eg: if one places an IP in the whitelist, that IP still generates
> alerts. it
> > should not, should it? shouldn't it just pass right on thru all
> NOTE: No off-list assistance is given without prior approval.
> Please keep mailing list traffic on the list unless
> private contact is specifically requested and granted.
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users