Snort mailing list archives
Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor
From: Timo <snort () iu1 de>
Date: Fri, 6 Nov 2015 16:24:51 +0100
Btw: Is there a good and actual public available backlist availabe? Searching the web I find only old and not good lists. Or only sites allowing to check single IPs but not downloading the whole list. Am 06.11.2015 um 16:01 schrieb Timo:
Hi, I found the issue. When I created the blacklist and whitelist files I copied blacklist to whitelist and forgot to remove the test IP from the file whitelist. Sorry. So my config works find. Just use my initial mail as guidline instead of question :). cheers Timo Am 06.11.2015 um 15:04 schrieb Evgeniy Sudyr:If I understood you correctly then you need check config policy_mode:tap More details there: http://manual.snort.org/node11.html On Fri, Nov 6, 2015 at 1:55 PM, Timo <snort () iu1 de <mailto:snort () iu1 de>> wrote: Hi, this is my first post. Hope I do correct. I have a problem with preprocessor reputation. I set everything up, but no alerts about blocked IPs. Other alerts show up fine. # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ scan_local, \ priority whitelist, \ nested_ip both, \ whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \ blacklist $BLACK_LIST_PATH/iplists/default.blacklist default.blacklist currently contains one IP for testing. (Plain IP xxx.xxx.xxx.xxx.) default.whitelist is empty. I use pulledpork for rules. So all rules are in snort.rules. Within snort.rules there are the corresponding rules for preprocessor reputation: alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) For GUI I use Snorby. Logoutput goes to unified2: output unified2: filename snort.u2, limit 128 I use barnyard to send logs to mysql: output database: log, mysql, user=xxxx password=xxxx dbname=xxxx host=localhost Alerts work fine for standard snort rules. Also preprocessor alerts are logged. For example I had a lot of stream5 alerts in the past. I disabled them by using threshold.conf: ... suppress gen_id 129, sig_id 0 ... #suppress gen_id 136, sig_id 0 ... In order to receive alerts from repuation preprocessor I do NOT suprees id 136. But there are no alerts about IPs within blacklist. grep 136 gen-msg.map 136 || 1 || reputation: Packet is blacklisted 136 || 2 || reputation: Packet is whitelisted This is how I run Snort: /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D So it runs in IDS mode. What am I doing wrong? I don't want to drop blacklisted IPs. I just want alerts about blacklisted IPs. I want to know, if a host contacts a CNC server or something. Any ideas? Cheers Timo ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- -- With regards, Eugene Sudyr------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Evgeniy Sudyr (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Joel Esler (jesler) (Nov 09)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 11)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Joel Esler (jesler) (Nov 11)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Evgeniy Sudyr (Nov 06)