[Snort-users] Ubuntu16.04 dynamic preprocess reputation didn't alert

cha shao 2chashao at gmail.com
Wed Jun 13 04:15:25 EDT 2018


I has edited snort.conf and added such

preprocessor reputation: \
scan_local, \
blacklist black.lists, \
whitelist white.lists

and in the snort.conf I add a preprocess.rules which has two alert rules
include $RULE_PATH/preprocessor.rules
these are two rules about reputation
alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
metadata: rule-type preproc ; classtype:bad-unknown; )
alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1;
metadata: rule-type preproc ; classtype:bad-unknown; )

and I start the snort like this
sudo snort -c /home/ss/Downloads/snort_conf/snort.conf
but nothing was in the snort.alert
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/home/ss/Downloads/snort_conf/snort.conf"
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /home/ss/Downloads/snort_conf/log
*Reputation config: *
   * Processing blacklist file /home/ss/Downloads/snort_conf/black.lists*
*    Reputation entries loaded: 1, invalid: 0, re-defined: 0 (from file
/home/ss/Downloads/snort_conf/black.lists)*
*    Processing whitelist file /home/ss/Downloads/snort_conf/white.lists*
*    Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file
/home/ss/Downloads/snort_conf/white.lists)*
*    Reputation total memory usage: 329508 bytes*
*    Reputation total entries loaded: 1, invalid: 0, re-defined: 0*
*    Memcap: 500 (Default) M bytes *
*    Scan local network: ENABLED*
*    Reputation priority:  whitelist(Default) *
*    Nested IP: inner (Default) *
*    White action: unblack (Default) *
*    Shared memory is Not supported.*
---------------------------------------------------------------------
---------------------------------------------------------------------
----------------------------------------------
how can i solve this problem?Thanks 😁
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180613/955fad59/attachment.html>


More information about the Snort-users mailing list