Re: reputation preprocessor and IDS

[Russ Combs <rcombs () sourcefire com>]

On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:

> On 6/4/2013 15:36, JJC wrote:
> > Yes, the IP Rep preprocessor works in passive mode just like it does in
> inline
> > mode, other than drop of course.
>
> correct on the drop method... we don't even use it :)
>
> i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1
> to
> the latest snort versions... i whitelisted a CIDR block and they still
> generate
> alerts... specifically, we saw alerts on 129:20 when snort was reloading
> after
> setting the CIDR block in the whitelist file and bouncing snort with a
> complete
> exit and startup... we've also seen 128:4 when sshing into that sensor on a
> non-standard port but we DO have that non-standard port listed in the ssh
> config
> section of snort.conf... these alerts happen for only a short time and then
> snort seems to settle down and stop issuing them even though those same
> connections are still active or being terminated and restarted again...

Do you have stream5_tcp: require_3whs set?  That might help reach steady
state sooner.

> i've just tested again an hour after the above alerts were logged and am
> seeing
> the same alerts as noted above... the traffic is very light compared to
> what
> many systems see... it is only a 100M internal LAN... there /may/ be some
> swapping going on on that test sensor... i'm seeing 7M of swap space
> currently
> used but i really don't think that that is getting in the way here...

Do you have reputation: white trust set?  Default is to unblack (not trust).

Also, you may need to set reputation: scan_local if the alerts are on local
addresses.

> > On Tue, Jun 4, 2013 at 1:27 PM, waldo kitty <wkitty42 () windstream net
> > <mailto:wkitty42 () windstream net>> wrote:
> >
> >
> >     does the reputation preprocessor work in IDS (non-inline) mode?
> >
> >     eg: if one places an IP in the whitelist, that IP still generates
> alerts. it
> >     should not, should it? shouldn't it just pass right on thru all
> processing?
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!