Snort mailing list archives

Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor

From: Timo <snort () iu1 de>
Date: Fri, 6 Nov 2015 16:24:51 +0100

Btw: Is there a good and actual public available backlist availabe? 
Searching the web I find only old and not good lists. Or only sites 
allowing to check single IPs but not downloading the whole list.

Am 06.11.2015 um 16:01 schrieb Timo:

Hi,

I found the issue. When I created the blacklist and whitelist files I
copied blacklist to whitelist and forgot to remove the test IP from the
file whitelist. Sorry.
So my config works find. Just use my initial mail as guidline instead of
question :).

cheers
Timo



Am 06.11.2015 um 15:04 schrieb Evgeniy Sudyr:

If I understood you correctly then you need check

config policy_mode:tap

More details there: http://manual.snort.org/node11.html



On Fri, Nov 6, 2015 at 1:55 PM, Timo <snort () iu1 de
<mailto:snort () iu1 de>> wrote:

     Hi,

     this is my first post. Hope I do correct.

     I have a problem with preprocessor reputation. I set everything up, but
     no alerts about blocked IPs. Other alerts show up fine.

     # Reputation preprocessor. For more information see README.reputation
     preprocessor reputation: \
          memcap 500, \
          scan_local, \
          priority whitelist, \
          nested_ip both, \
          whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
          blacklist $BLACK_LIST_PATH/iplists/default.blacklist

     default.blacklist currently contains one IP for testing. (Plain IP
     xxx.xxx.xxx.xxx.)
     default.whitelist is empty.

     I use pulledpork for rules. So all rules are in snort.rules.
     Within snort.rules there are the corresponding rules for preprocessor
     reputation:
     alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
     metadata: rule-type preproc ; classtype:bad-unknown; )
     alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1;
     metadata: rule-type preproc ; classtype:bad-unknown; )

     For GUI I use Snorby.

     Logoutput goes to unified2:
     output unified2: filename snort.u2, limit 128

     I use barnyard to send logs to mysql:
     output database: log, mysql, user=xxxx password=xxxx dbname=xxxx
     host=localhost

     Alerts work fine for standard snort rules. Also preprocessor alerts are
     logged. For example I had a lot of stream5 alerts in the past. I
     disabled them by using threshold.conf:
     ...
     suppress gen_id 129, sig_id 0
     ...
     #suppress gen_id 136, sig_id 0
     ...
     In order to receive alerts from repuation preprocessor I do NOT suprees
     id 136. But there are no alerts about IPs within blacklist.

     grep 136 gen-msg.map
     136 || 1 || reputation: Packet is blacklisted
     136 || 2 || reputation: Packet is whitelisted

     This is how I run Snort:
     /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i
     eth1 -D
     So it runs in IDS mode.

     What am I doing wrong? I don't want to drop blacklisted IPs. I just want
     alerts about blacklisted IPs. I want to know, if a host contacts a CNC
     server or something.

     Any ideas?

     Cheers
     Timo

     ------------------------------------------------------------------------------
     _______________________________________________
     Snort-users mailing list
     Snort-users () lists sourceforge net
     <mailto:Snort-users () lists sourceforge net>
     Go to this URL to change user options or unsubscribe:
     https://lists.sourceforge.net/lists/listinfo/snort-users
     Snort-users list archive:
     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

     Please visit http://blog.snort.org to stay current on all the latest
     Snort news!




--
--
With regards,
Eugene Sudyr

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Evgeniy Sudyr (Nov 06)
  - Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
    - Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 06)
    - Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Joel Esler (jesler) (Nov 09)
    - Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Timo (Nov 11)
    - Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Joel Esler (jesler) (Nov 11)
- Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor Hui Cao (huica) (Nov 06)