[Snort-users] Reputation Preprocessor Question - Blacklist causing packets to skip other preprocessors and rule engine

Noah Dietrich noah_dietrich at ...17393...
Sat Dec 12 10:57:57 EST 2015


Hello,

My question is in relation to the reputation processor in Snort when
running in NIDS mode.  I have snort working correctly with the reputation
processor (alerts are generated by the reputation preprocessor when a
packet comes from a blacklisted host), but it seems that if a packet comes
from a host that is blacklisted, the packet is NOT processed by the rule
engine (and possibly the other preprocessors) after generating the
reputation preprocessor alert.

I verified this with a simple configuration (two rules in my local.rules,
with no other rules enabled), one to alert on preprocessor blacklist
alerts, and another one for all ICMP events.

When i ping my snort sensor from a host on the blacklist, I get the alert
generated by the preprocessor, but NOT from my ICMP rule.  When I remove
that host from the blacklist and ping again, I get the alerts from my ICMP
rule.

I also noted that I received echo replies from the snort sensor for each
ICMP request I sent (running in NIDS mode, this makes sense).

It seems that when Snort is running in  NIDS  mode, and it sees a packet
from a blacklisted host, that it should generate the reputation
preprocessor blacklist alert, but that the packet should still be processed
by the other preprocessors and the rule engine (if not by default, at least
with a preprocessor configuration  option).

Thank you,
noah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151212/cbf87a24/attachment.html>


More information about the Snort-users mailing list