[Snort-users] reputation preprocessor and IDS

Joel Esler jesler at ...1935...
Tue Jun 4 18:20:12 EDT 2013


On Jun 4, 2013, at 4:04 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 6/4/2013 15:36, JJC wrote:
>> Yes, the IP Rep preprocessor works in passive mode just like it does in inline
>> mode, other than drop of course.
> 
> correct on the drop method... we don't even use it :)
> 
> i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1 to 
> the latest snort versions... i whitelisted a CIDR block and they still generate 
> alerts... specifically, we saw alerts on 129:20 when snort was reloading after 
> setting the CIDR block in the whitelist file and bouncing snort with a complete 
> exit and startup... we've also seen 128:4 when sshing into that sensor on a 
> non-standard port but we DO have that non-standard port listed in the ssh config 
> section of snort.conf... these alerts happen for only a short time and then 
> snort seems to settle down and stop issuing them even though those same 
> connections are still active or being terminated and restarted again...

Whitelist doesn't mean "totally ignore these hosts", whitelist is used in the term of "these things in this whitelist?  yeah, they never get blacklisted"

If you want to ignore a host, bpf it out like normal.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130604/f0764f4d/attachment.html>


More information about the Snort-users mailing list