[Snort-users] 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0

Victor Roemer viroemer at ...589...
Thu May 11 09:38:18 EDT 2017


On 5/10/17 10:44 PM, 阔野嘹歌 wrote:

> Thx hui.
> Thank you for taking the time to answer my questions.
> Now My snort reputation looks work well.
>
>
> I add IP(192.168.59.228) to file /usr/reputation/iplists/black_list.blf,Then start snort_control use follwing command:
> ./snort_control /usr/reputation/ 1361
>
>
> snort_control output :
> Response 0009 with code 0 and length 45
> 52 65 70 75 74 61 74 69  6F 6E 20 50 72 65 70 72   Reputati on Prepr
> 6F 63 65 73 73 6F 72 3A  20 4E 6F 20 73 65 67 6D   ocessor:  No segm
> 65 6E 74 73 20 72 65 63  65 69 76 65 64            ents rec eived
> Response 0000 without data
>
>
>
> But snort master does not respond, and snort not be blaked the IP 192.168.59.128.
> I noticed snort output(Previous output not now):
> .........
> .....
>      Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1179648
>      Processing blacklist file /usr/reputation/iplists/black_list.blf
>      Reputation entries loaded: 3, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
>      Processing whitelist file /usr/reputation/iplists/white_list.wlf
>      Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
> Reputation Preprocessor shared memory summary:
>      Reputation total memory usage: 329820 bytes
>      Reputation total entries loaded: 3, invalid: 0, re-defined: 0
>      Reputation Preprocessor: Received segment 0
>      Reputation Preprocessor: Instance 0 switched to segment_version 0
>
>
>
> But my blacklist file now has 4 IPs. (192.168.59.228 is new IP)It looks blacklist not reload.
>
>
> My question is :
> 1.What should I do for geting load black list?
> 2.what is "1361" mean? How should I know what it means? I search snort source,but I can't undstand it.following line is output:
>
>
> root at ...274...:~/code/snort# find.sh 1361
>   ################## FIND BEGIN ##################
> ./src/dynamic-plugins/sf_engine/sfprimetable.c:210: 1361, /* 1361 */
> ./src/dynamic-plugins/sf_engine/sfprimetable.c:1558: 31357, /* 31361 */
> ./src/dynamic-plugins/sf_engine/sfprimetable.c:2228:  136189, /* 136192 */
> ./src/target-based/sf_attribute_table_parser.c:1693:     1359,    0, 1360,    0, 1361,    0, 1362,    0, 1363,    0,
> ./src/target-based/sf_attribute_table_parser.c:3452:    11358,11358,11359,11359,11360,11360,11361,11361,11362,11362,
> ./src/target-based/sf_attribute_table_parser.c:4283:     1353, 1355, 1357, 1359, 1361, 1363, 1365, 1367, 1369, 1371,
> ./src/target-based/sf_attribute_table_parser.c:5275:     1351, 1353, 1355, 1357, 1359, 1361, 1363, 1365, 1367, 1369,
> ./src/target-based/sf_attribute_table_parser.c:5976:    11358,11359,11360,11361,11362,11363,11364,11365,11366,11367,
> ./src/dynamic-preprocessors/include/sfprimetable.c:210: 1361, /* 1361 */
> ./src/dynamic-preprocessors/include/sfprimetable.c:1558: 31357, /* 31361 */
> ./src/dynamic-preprocessors/include/sfprimetable.c:2228:  136189, /* 136192 */
> ./src/sfutil/sfprimetable.c:210: 1361, /* 1361 */
> ./src/sfutil/sfprimetable.c:1558: 31357, /* 31361 */
> ./src/sfutil/sfprimetable.c:2228:  136189, /* 136192 */
>   ##################  FIND END  ##################
>
|136| is the reputation preprocessors generator id + |1| is the command.
Check |src/dynamic-preprocessors/reputation/spp_reputation.h|, you’ll 
see the following

|#define GENERATOR_SPP_REPUTATION 136 #define CS_TYPE_REPUTATION_SHAREMEM 
((GENERATOR_SPP_REPUTATION *10) + 1) #define 
CS_TYPE_REPUTATION_SHAREMEM_LOOKUP ((GENERATOR_SPP_REPUTATION *10) + 2) 
#define CS_TYPE_REPUTATION_SHAREMEM_MGMT_INFO ((GENERATOR_SPP_REPUTATION 
*10) + 3) |

>
>
> Thanks.
> minggang su
>
>
> ------------------ 原始邮件 ------------------
> 发件人: "Hui Cao (huica)";<huica at ...589...>;
> 发送时间: 2017年5月10日(星期三) 晚上9:12
> 收件人: "阔野嘹歌"<85358830 at ...15456...>; "Snort-users"<snort-users at lists.sourceforge.net>;
>
> 主题: Re: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
>
>
>
>    
> My question is :
>   
> 1.      What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
>   
>   
>   
> Yes. You can set it to a higher number since it is configurable. Configure option is “shared_max_instances”. I think the default is 50.
>   
>   
>   
> 2.      How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output.
>   
>   
>   
> You have the output like this, it is a reader:
>   
>   
>   
>     Mapped shared management region of size 128 as a reader.
>   
>      Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
>   
>   
>   
>   
>   
>   
>   
>   
>   
>   
>   
>   
>    
> From:  阔野嘹歌 <85358830 at ...15456...>
>   Date: Wednesday, May 10, 2017 at 12:54 AM
>   To: "Hui Cao (huica)" <huica at ...589...>, Snort-users <snort-users at lists.sourceforge.net>
>   Subject: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
>   
>    
>   
>   
>    
> Thx hui.
>   
>    
>   
>   
>     
> I use the command as you give me:
>   
>    
> ./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
>   
>    
>   
>   
>    
>   The following is the output of the Master snort:
>   
>    
>   
>   
>    
> .......
>   
>    
> ...
>   
>     
> Reputation config:
>   
>    
>      Reputation total memory usage: 0 bytes
>   
>    
>      Reputation total entries loaded: 0, invalid: 0, re-defined: 0
>   
>    
>      Memcap: 500 (Default) M bytes
>   
>    
>      Scan local network: ENABLED
>   
>    
>      Reputation priority:  whitelist(Default)
>   
>    
>      Nested IP: both
>   
>    
>      White action: unblack (Default)
>   
>    
>      Shared memory supported, Update directory: /usr/reputation/iplists
>   
>    
>      Shared memory refresh period: 60 (Default) seconds
>   
>    
>      Shared memory max instances: 2
>   
>   
>    
> ..........
>   
>    
> ......
>   
>    
>   
>   
>     
> Reload thread starting...
>   
>    
> Reload thread started, thread 0xa44f1b40 (26006)
>   
>    
>      Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
>   
>    
> Mapped shared management region of size 128 as a writer.
>   
>    
>      Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
>   
>    
>      Processing blacklist file /usr/reputation/iplists/black_list.blf
>   
>    
>      Reputation entries loaded: 2, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
>   
>    
>      Processing whitelist file /usr/reputation/iplists/white_list.wlf
>   
>    
>      Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
>   
>    
> Reputation Preprocessor shared memory summary:
>   
>    
>      Reputation total memory usage: 329712 bytes
>   
>    
>      Reputation total entries loaded: 2, invalid: 0, re-defined: 0
>   
>   
>    
> ........
>   
>    
> .....
>   
>    
>   
>   
>    
>   
>   
>    
> Master snort looks work well.Next step ,I start a new snort instance as client .It looks not load share memory black list info,following line is my command:
>   
>    
> ./snort -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9
>   
>    
>   
>   
>    
> It output:
>   
>    
>   
>   
>    
> .......
>   
>    
> .....
>   
>     
> Reputation config:
>   
>    
>      Reputation total memory usage: 0 bytes
>   
>    
>      Reputation total entries loaded: 0, invalid: 0, re-defined: 0
>   
>    
>      Memcap: 500 (Default) M bytes
>   
>    
>      Scan local network: ENABLED
>   
>    
>      Reputation priority:  whitelist(Default)
>   
>    
>      Nested IP: both
>   
>    
>      White action: unblack (Default)
>   
>    
>      Shared memory supported, Update directory: /usr/reputation/iplists
>   
>    
>      Shared memory refresh period: 60 (Default) seconds
>   
>    
>      Shared memory max instances: 2
>   
>   
>    
>   
>   
>    
> ........
>   
>    
> ......
>   
>     
> Reload thread starting...
>   
>    
> Reload thread started, thread 0xa44a1b40 (26334)
>   
>    
>      Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
>   
>    
> Mapped shared management region of size 128 as a reader.
>   
>    
>      Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
>   
>   
>    
> ..........
>   
>    
> ....
>   
>    
>   
>   
>    
> My question is :
>   
>    
> 1.What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
>   
>    
> 2.How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output.
>   
>    
>   
>   
>    
> ------------------ 原始邮件 ------------------
>   
>     
> 发件人: "Hui Cao (huica)";<huica at ...589...>;
>   
>    
> 发送时间: 2017年5月9日(星期二) 晚上11:53
>   
>    
> 收件人: "阔野嘹歌"<85358830 at ...15456...>;  "Snort-users"<snort-users at lists.sourceforge.net>;
>   
>    
> 主题: Re:  [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
>   
>   
>    
>   
>   
>   
> You should use command :
>   
>   ./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
>   
>   Only instance 0 will be a shared memory writer.
>   
>   Best,
>   Hui.
>   On 5/9/17, 11:46 AM, "阔野嘹歌" <85358830 at ...15456...> wrote:
>   
>       sorry,Message attachments are not supported.
>       Here is my snort.conf:
>       
>       
>       # Reputation preprocessor. For more information see README.reputation
>       preprocessor reputation: \
>          memcap 500, \
>          scan_local, \
>       #   priority whitelist, \
>          white unblack, \
>          nested_ip both, \
>       #   whitelist /usr/reputation/iplists/white_list.wlf, \
>       #   blacklist /usr/reputation/iplists/black_list.blf, \
>          shared_mem /usr/reputation/iplists, \
>          shared_refresh 60
>       
>       
>       
>       
>       
>       
>       
>       
>       
>       Here is my black_list.blf:
>       192.168.59.158/32
>       192.168.59.128/32
>       
>       
>       
>       
>       ------------------ 原始邮件 ------------------
>       发件人: "85358830";<85358830 at ...15456...>;
>       发送时间: 2017年5月9日(星期二) 晚上11:28
>       收件人: "Snort-users"<snort-users at lists.sourceforge.net>;
>       
>       主题: [Snort-users] snort preprocessor reputation Shared memory loadentries always 0
>       
>       
>       
>       Good day to all! I'm using Snort 2.9.8.3 on a Debian 8.2 virtual machine.To test reputation share memory and control-socket.I'm follow Snort manual 2.2.20 shared memory support.step by step.but it looks not work well.
>       
>       
>       My config file and whait/black list file in mail attachemnts.
>       The following line is my start snort command:
>       ./snort -G 1 -Q --process-all-events -c ../etc/snort.conf
>       
>       
>       The following is the output of the snort:
>       .......
>       ...
>       Reputation config:
>           Reputation total memory usage: 0 bytes
>           Reputation total entries loaded: 0, invalid: 0, re-defined: 0
>           Memcap: 500 (Default) M bytes
>           Scan local network: ENABLED
>           Reputation priority:  whitelist(Default)
>           Nested IP: both
>           White action: unblack (Default)
>           Shared memory supported, Update directory: /usr/reputation/iplists
>           Shared memory refresh period: 60 (Default) seconds
>           Shared memory max instances: 2
>       
>       +++++++++++++++++++++++++++++++++++++++++++++++++++
>       Initializing rule chains...
>       1 Snort rules read
>           0 detection rules
>           0 decoder rules
>           1 preprocessor rules
>       1 Option Chains linked into 1 Chain Headers
>       0 Dynamic rules
>       +++++++++++++++++++++++++++++++++++++++++++++++++++
>       
>       ..........
>       .....
>       
>       
>       nfq DAQ configured to inline.
>       Reload thread starting...
>       Reload thread started, thread 0xa443db40 (25579)
>           Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
>       Mapped shared management region of size 128 as a reader.
>       
>       ........
>       .....
>       
>       
>       It appears that the blacklist is not load into shared memory.why?
>       who can tell me why?
>       
>       
>       I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
>       
>       I'm sorry my English is not good.sorry I am a novice.
>       sorry.
>       
>        
>       
>       Can someone give me some help?
>       
>       Can the Chinese give me some help?in Chinese.
>       
>       I am a lonely self learner, if you can give me a little help , Thank you very much.
>       Best regards to all!------------------------------------------------------------------------------
>       Check out the vibrant tech community on one of the world's most
>       engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>       _______________________________________________
>       Snort-users mailing list
>       Snort-users at lists.sourceforge.net
>       Go to this URL to change user options or unsubscribe:
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>       Snort-users list archive:
>       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>       
>       Please visit http://blog.snort.org to stay current on all the latest Snort news!
>       ------------------------------------------------------------------------------
>       Check out the vibrant tech community on one of the world's most
>       engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>       _______________________________________________
>       Snort-users mailing list
>       Snort-users at lists.sourceforge.net
>       Go to this URL to change user options or unsubscribe:
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>       Snort-users list archive:
>       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>       
>       Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list