[Snort-users] snort black list issue

anton van der leun anton at ...17621...
Tue Aug 2 10:50:58 EDT 2016


Hi Hui,

 
Yes, I checked that already.

The client of the test has ip address 192.168.63.1

 
The white-list is very short:

 
##callvoip

91.195.160.0/25

91.195.161.0/25

##microsoft

191.234.4.0/24

##ger schiedam glas:

163.158.245.128

##akama1

95.100.96.0/23

##dell download:

68.232.34.141

##alex:

37.59.121.224

##xenserver download:

95.100.97.40

##freenas:

64.62.136.60

192.168.63.100

##nagios

192.168.63.199

##ISPconfig schiedam:

10.117.0.244

##customer SNORT devices :

192.2.XXX.XXX       <changed for privacy reason>

192.168.XXX.XXX     <changed for privacy reason>

 
 
Van: Hui cao [mailto:huica at ...589...] 
Verzonden: dinsdag 2 augustus 2016 16:43
Aan: anton van der leun <anton at ...17621...>; Anton van der Leun <anton at ...391...7625...>; snort-users at lists.sourceforge.net
CC: Alexander van der Leun <alex at ...17625...>
Onderwerp: Re: AW: [Snort-users] snort black list issue

 
Hi Anton,

You have packets that are whitelisted. Have you checked that either IP is not in whitelist?

Do you have this defined in your rule?

drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; )

Best,
Hui.

On 08/02/2016 10:21 AM, anton van der leun wrote:

Reputation Preprocessor Statistics
Total Memory Allocated: 2257540
Number of packets blacklisted: 12
Number of packets whitelisted: 333

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160802/37be43f6/attachment.html>


More information about the Snort-users mailing list