Snort mailing list archives
Re: reputation preprocessor and IDS
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 4 Jun 2013 16:17:12 -0400
On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 6/4/2013 15:36, JJC wrote:Yes, the IP Rep preprocessor works in passive mode just like it does ininlinemode, other than drop of course.correct on the drop method... we don't even use it :) i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1 to the latest snort versions... i whitelisted a CIDR block and they still generate alerts... specifically, we saw alerts on 129:20 when snort was reloading after setting the CIDR block in the whitelist file and bouncing snort with a complete exit and startup... we've also seen 128:4 when sshing into that sensor on a non-standard port but we DO have that non-standard port listed in the ssh config section of snort.conf... these alerts happen for only a short time and then snort seems to settle down and stop issuing them even though those same connections are still active or being terminated and restarted again...
Do you have stream5_tcp: require_3whs set? That might help reach steady state sooner.
i've just tested again an hour after the above alerts were logged and am seeing the same alerts as noted above... the traffic is very light compared to what many systems see... it is only a 100M internal LAN... there /may/ be some swapping going on on that test sensor... i'm seeing 7M of swap space currently used but i really don't think that that is getting in the way here...
Do you have reputation: white trust set? Default is to unblack (not trust). Also, you may need to set reputation: scan_local if the alerts are on local addresses.
On Tue, Jun 4, 2013 at 1:27 PM, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: does the reputation preprocessor work in IDS (non-inline) mode? eg: if one places an IP in the whitelist, that IP still generatesalerts. itshould not, should it? shouldn't it just pass right on thru allprocessing? -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS JJC (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS Russ Combs (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS Joel Esler (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS waldo kitty (Jun 04)
- Re: reputation preprocessor and IDS JJC (Jun 04)