[Snort-users] Blacklist not working

Hui cao huica at ...589...
Mon Aug 10 15:28:26 EDT 2015


Hi Charlie,

Blacklist rules are different from IP blacklists. In order to make this 
work, you should enable stream preprocessor and enable the preprocessor 
alerts for blacklist (136:1). If you still have this issue, can you 
provide the snort output?

Best,
Hui.

On 08/06/2015 04:54 AM, Charlie wrote:
>
> Hi
>
> I am using to use Snort 2.9.7.5 with barnyard2-1.13 on a Linux 
> RaspberryPI2 3.18.11-v7+
>
> In my snort.conf, I have:
> var RULE_PATH /usr/local/snort/rules
> ...
> var WHITE_LIST_PATH /usr/local/snort/rules/iplists
> var BLACK_LIST_PATH /usr/local/snort/rules/iplists
> ...
> preprocessor reputation: \
>    memcap 500, \
>    scan_local, \
>    priority blacklist, \
>    nested_ip inner, \
>    blacklist $BLACK_LIST_PATH/default.blacklist
> ...
> include $RULE_PATH/blacklist.rules
>
> /usr/local/snort/rules/iplists/*default.blacklist* contains:
> 1.160.114.65
> 1.174.194.40
> 1.234.245.2
> *...*
>
> /usr/local/snort/rules/*blacklist.rules* contains:
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for 
> known malware domain datajunction.org - Gauss "; flow:to_server; 
> byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; 
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
> policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
> classtype:trojan-activity; sid:23802; rev:2;)
> alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for 
> known malware domain guest-access.net - Gauss "; flow:to_server; 
> byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; 
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
> policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
> classtype:trojan-activity; sid:23799; rev:2;)
> *...*
>
> if I try to ping 1.160.114.65, no alert is reported by snort
> if I try in a browser datajunction.org (-or- datajunction.org:53), I 
> can see the kapersky lab home page and no alert is reported by snort
>
> So now I am suspicious the the blacklist function is not working but why?
> How would you test the blacklist function?
>
> Thanks in advance
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150810/bd8953d2/attachment.html>


More information about the Snort-users mailing list