[Snort-users] Unexpected results with reputation preprocessor

Dave Corsello snort-users at ...15598...
Wed Mar 19 17:35:30 EDT 2014


I log to unified2 and fast alerts.  Here's an example from alert.fast:

03/19-15:05:07.463849  [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 184.22.119.205:26174 -> x.x.x.x:25
03/19-15:05:07.463849 184.22.119.205:26174 -> x.x.x.x:25
TCP TTL:53 TOS:0x0 ID:24430 IpLen:20 DgmLen:48 DF
******S* Seq: 0x74ADFBAC  Ack: 0x0  Win: 0x3908  TcpLen: 28
TCP Options (3) => MSS: 1460 NOP WS: 8
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


03/19-15:05:07.464089  [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} x.x.x.x:25 -> 184.22.119.205:26174
03/19-15:05:07.464089 x.x.x.x:25 -> 184.22.119.205:26174
TCP TTL:202 TOS:0x0 ID:13060 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x74ADFBAD  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

x.x.x.x represents the private address of my mail server.  I was wrong
when I said that the timestamps are identical--they appear to be the
same in BASE, in which seconds are the smallest increment.  There are no
corresponding records in my maillog.

On 3/19/2014 4:12 PM, James Lay wrote:
> Are you logging to unified?  Would be interesting to see the output of 
> that offlist perhaps if it's sensitive.
>
> James
>





More information about the Snort-users mailing list