[Snort-users] Problem with reputation preprocessor in snort version 2.9.8.0 ??

Timo snort at ...17356...
Wed Dec 9 05:03:59 EST 2015


Hi,

i just updated from Snort 2.9.7.6 to 2.9.8.0 (did the update from one to 
another machine - but same OS - Ubuntu 14 LTS). I copied the 
configuration from old version to new version. Everything seems to work 
but the reputation preprocessor. I receive absolutly no alerts about IPs 
listed in my ipblacklist.
I also tested with "/usr/local/bin/snort -u snort -g snort -c 
/etc/snort/snort.conf -i eth0 -A console". Rules alert fine, but blocked 
IPs not.
Is there a known issue with reputation preprocessor in this version?

This is my config:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
    memcap 500, \
    scan_local, \
    priority whitelist, \
    nested_ip both, \
    nested_ip inner, \
    whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
    blacklist $BLACK_LIST_PATH/iplists/default.blacklist, \
    blacklist $BLACK_LIST_PATH/iplists/additional.blacklist

default.whitelist is empty.
default.blacklist is around 588KB
additional.blacklist is around 360KB

gen-msg.map:
...
136 || 1 || reputation: Packet is blacklisted
136 || 2 || reputation: Packet is whitelisted
...

threshold.conf:
#suppress gen_id 129, sig_id 12
#suppress gen_id 129, sig_id 15
suppress gen_id 105, sig_id 0
suppress gen_id 106, sig_id 0
suppress gen_id 112, sig_id 0
suppress gen_id 116, sig_id 0
suppress gen_id 119, sig_id 0
suppress gen_id 120, sig_id 0
suppress gen_id 122, sig_id 0
suppress gen_id 123, sig_id 0
suppress gen_id 124, sig_id 0
suppress gen_id 125, sig_id 0
suppress gen_id 126, sig_id 0
suppress gen_id 127, sig_id 0
suppress gen_id 128, sig_id 0
suppress gen_id 129, sig_id 0
suppress gen_id 131, sig_id 0
suppress gen_id 132, sig_id 0
suppress gen_id 133, sig_id 0
suppress gen_id 134, sig_id 0
#suppress gen_id 136, sig_id 0
suppress gen_id 137, sig_id 0
suppress gen_id 139, sig_id 0
suppress gen_id 140, sig_id 0
suppress gen_id 141, sig_id 0
suppress gen_id 142, sig_id 0
suppress gen_id 143, sig_id 0
suppress gen_id 1, sig_id 1852

cheers
Timo




More information about the Snort-users mailing list