[Snort-users] Problem with reputation preprocessor in snort version 2.9.8.0 ??

Timo snort at ...17356...
Wed Dec 9 07:39:43 EST 2015


Found the issue. I temporarly disabled all the snort rules. Only 
additional rules where enabled. So all the decoder rules where mission. 
So no alerts. With default snort rules all is fine now. Sorry. :)





Am 09.12.2015 um 11:03 schrieb Timo:
> Hi,
>
> i just updated from Snort 2.9.7.6 to 2.9.8.0 (did the update from one 
> to another machine - but same OS - Ubuntu 14 LTS). I copied the 
> configuration from old version to new version. Everything seems to 
> work but the reputation preprocessor. I receive absolutly no alerts 
> about IPs listed in my ipblacklist.
> I also tested with "/usr/local/bin/snort -u snort -g snort -c 
> /etc/snort/snort.conf -i eth0 -A console". Rules alert fine, but 
> blocked IPs not.
> Is there a known issue with reputation preprocessor in this version?
>
> This is my config:
>
> # Reputation preprocessor. For more information see README.reputation
> preprocessor reputation: \
>    memcap 500, \
>    scan_local, \
>    priority whitelist, \
>    nested_ip both, \
>    nested_ip inner, \
>    whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
>    blacklist $BLACK_LIST_PATH/iplists/default.blacklist, \
>    blacklist $BLACK_LIST_PATH/iplists/additional.blacklist
>
> default.whitelist is empty.
> default.blacklist is around 588KB
> additional.blacklist is around 360KB
>
> gen-msg.map:
> ...
> 136 || 1 || reputation: Packet is blacklisted
> 136 || 2 || reputation: Packet is whitelisted
> ...
>
> threshold.conf:
> #suppress gen_id 129, sig_id 12
> #suppress gen_id 129, sig_id 15
> suppress gen_id 105, sig_id 0
> suppress gen_id 106, sig_id 0
> suppress gen_id 112, sig_id 0
> suppress gen_id 116, sig_id 0
> suppress gen_id 119, sig_id 0
> suppress gen_id 120, sig_id 0
> suppress gen_id 122, sig_id 0
> suppress gen_id 123, sig_id 0
> suppress gen_id 124, sig_id 0
> suppress gen_id 125, sig_id 0
> suppress gen_id 126, sig_id 0
> suppress gen_id 127, sig_id 0
> suppress gen_id 128, sig_id 0
> suppress gen_id 129, sig_id 0
> suppress gen_id 131, sig_id 0
> suppress gen_id 132, sig_id 0
> suppress gen_id 133, sig_id 0
> suppress gen_id 134, sig_id 0
> #suppress gen_id 136, sig_id 0
> suppress gen_id 137, sig_id 0
> suppress gen_id 139, sig_id 0
> suppress gen_id 140, sig_id 0
> suppress gen_id 141, sig_id 0
> suppress gen_id 142, sig_id 0
> suppress gen_id 143, sig_id 0
> suppress gen_id 1, sig_id 1852
>
> cheers
> Timo





More information about the Snort-users mailing list