[Snort-users] Snort preproscesor reputation No effect

Marcin Dulak marcin.dulak at ...11827...
Sat May 6 04:55:40 EDT 2017


On Sat, May 6, 2017 at 9:04 AM, 阔野嘹歌 <85358830 at ...15456...> wrote:

> HI,
>
>
>
> I'm running Snort2.9.8.3 on  Debian 8.2 virtual machine get problem.
>
> I follow this tutorial :
>
> https://sublimerobots.com/2015/12/the-snort-reputation-preprocessor/
>
>
>
> but my DAQ is NFQ.The following line is my start snort command:
>
> root at ...274...:~/pack/snort-2.9.8.3/src# ./snort -Q --process-all-events
> --daq nfq --daq-var device=eth0 --daq-var queue=1 -c ../etc/snort.conf
>
>
>
> My iptables configuration commands is:
>
>
>
> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>
> iptables -I FORWARD -j NFQUEUE --queue-num 1
>
> iptables -I INPUT -j NFQUEUE --queue-num 1
>
>
>
> My reputation configuration is :
>
> # Reputation preprocessor. For more information see README.reputation
>
> preprocessor reputation: \
>
>    memcap 500, \
>
>    scan_local, \
>
> #   priority whitelist, \
>
>    white unblack, \
>
>    nested_ip inner, \
>
>    whitelist /root/pack/snort-2.9.8.3/rules/white_list.rules, \
>
>    blacklist /root/pack/snort-2.9.8.3/rules/black_list.rules
>
>
>
> My local.rules include :
>
> drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
> metadata: rule-type preproc ; classtype:bad-unknown; )
>
>
>
> My black_list.rules include :
>
> 192.168.59.128/24
>
>
>
> My runing snort host IP is 192.168.59.188,It looks work well follow line
> is output:
>
> Enabling inline operation
>
> Running in IDS mode
>
>
>
> ........
>
> ....
>
> Reputation config:
>
>     Processing whitelist file /root/pack/snort-2.9.8.3/
> rules/white_list.rules
>
>     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file
> /root/pack/snort-2.9.8.3/rules/white_list.rules)
>
>     Processing blacklist file /root/pack/snort-2.9.8.3/
> rules/black_list.rules
>
>       (9) => Re-defined address: '192.168.59.158/24'
>
>     Reputation entries loaded: 1, invalid: 0, re-defined: 1 (from file
> /root/pack/snort-2.9.8.3/rules/black_list.rules)
>
>     Reputation total memory usage: 329512 bytes
>
>     Reputation total entries loaded: 1, invalid: 0, re-defined: 1
>
>     Memcap: 500 (Default) M bytes
>
>     Scan local network: ENABLED
>
>     Reputation priority:  whitelist(Default)
>
>     Nested IP: inner (Default)
>
>     White action: unblack (Default)
>
>     Shared memory is Not supported.
>
>
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Initializing rule chains...
>
> 1 Snort rules read
>
>     0 detection rules
>
>     0 decoder rules
>
>     1 preprocessor rules
>
> 1 Option Chains linked into 1 Chain Headers
>
> 0 Dynamic rules
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> ...........
>
> .....
>
>
>
> while I use virtual machine IP is 192.168.59.128 PING my snort
> host(192.168.59.188). I get alert log :
>
>
>
>
>
> [**] [136:1:1] (spp_reputation) packets blacklisted [**]
>
> [Classification: Potentially Bad Traffic] [Priority: 2]
>
> 05/06-13:08:46.043200 192.168.59.128 -> 192.168.59.188
>
> ICMP TTL:64 TOS:0x0 ID:54848 IpLen:20 DgmLen:84 DF
>
> Type:8  Code:0  ID:20449   Seq:376  ECHO
>
>
>
> [**] [136:1:1] (spp_reputation) packets blacklisted [**]
>
> [Classification: Potentially Bad Traffic] [Priority: 2]
>
> 05/06-13:08:47.054471 192.168.59.128 -> 192.168.59.188
>
> ICMP TTL:64 TOS:0x0 ID:54902 IpLen:20 DgmLen:84 DF
>
> Type:8  Code:0  ID:20449   Seq:377  ECHO
>
>
>
> [**] [136:1:1] (spp_reputation) packets blacklisted [**]
>
> [Classification: Potentially Bad Traffic] [Priority: 2]
>
> 05/06-13:08:48.054271 192.168.59.128 -> 192.168.59.188
>
> ICMP TTL:64 TOS:0x0 ID:55019 IpLen:20 DgmLen:84 DF
>
> Type:8  Code:0  ID:20449   Seq:378  ECHO
>
>
>
> and host 192.168.59.128 get info:
>
> root at ...274...:~# ping 192.168.59.188
>
> PING 192.168.59.188 (192.168.59.188) 56(84) bytes of data.
>
> ^C
>
> --- 192.168.59.188 ping statistics ---
>
> 378 packets transmitted, 0 received, 100% packet loss, time 377243ms
>
>
>
> It looks worked well . rule drop looks Have effect.
>
> but I at snort host (192.168.59.188) start software netcat  as server use
> The following line:
>
> root at ...274...:~# nc -l -p 61324
>
>
>
> At host 192.168.59.128 start software netcat as client use The following
> line:
>
> root at ...274...:~# nc 192.168.59.188 61234
>
>
>
> It can connect successfully and 192.168.59.128 use SSH can connect
> succesfully.
>
>
>
> So it looks the blacklist  No effect.
>

Could it be this problem:
http://seclists.org/snort/2016/q3/355

Marcin


>
>
>
> I am searching for a long time on net. But no use. Please help or try to
> give some ideas how to achieve this.
>
> I'm sorry my English is not good.sorry I am a novice.
>
> I'do not know if the problem can not be read.
>
> sorry.
>
>
>
> Can someone give me some help?
>
> Can the Chinese give me some help?in Chinese.
>
> I am a lonely self scholar, if you can give me a little help in Chinese,
> Thanks in advance.
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



More information about the Snort-users mailing list