[Snort-users] Blacklist not working

Charlie ForFun2000 at ...125...
Thu Aug 6 04:54:42 EDT 2015


Hi

I am using to use Snort 2.9.7.5 with barnyard2-1.13 on a Linux 
RaspberryPI2 3.18.11-v7+

In my snort.conf, I have:
var RULE_PATH /usr/local/snort/rules
...
var WHITE_LIST_PATH /usr/local/snort/rules/iplists
var BLACK_LIST_PATH /usr/local/snort/rules/iplists
...
preprocessor reputation: \
    memcap 500, \
    scan_local, \
    priority blacklist, \
    nested_ip inner, \
    blacklist $BLACK_LIST_PATH/default.blacklist
...
include $RULE_PATH/blacklist.rules

/usr/local/snort/rules/iplists/*default.blacklist* contains:
1.160.114.65
1.174.194.40
1.234.245.2
*...*

/usr/local/snort/rules/*blacklist.rules* contains:
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known 
malware domain datajunction.org - Gauss "; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; 
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23802; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known 
malware domain guest-access.net - Gauss "; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; 
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23799; rev:2;)
*...*

if I try to ping 1.160.114.65, no alert is reported by snort
if I try in a browser datajunction.org (-or- datajunction.org:53), I can 
see the kapersky lab home page and no alert is reported by snort

So now I am suspicious the the blacklist function is not working but why?
How would you test the blacklist function?

Thanks in advance




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150806/045596ec/attachment.html>


More information about the Snort-users mailing list