Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to alert blacklisted IPs in Snort IDS - Reputation preprocessor

From: Timo <snort () iu1 de>
Date: Wed, 11 Nov 2015 11:02:13 +0100
Thank you. I saw this list within the pulled pork config. I was just 
wondering if this one is a good list with up-to-date content.
For testing I copied a bunch of those IPs to http://trustedsource.org/ 
(which is a very good service). Unfortunately nearly all IPs are not 
categorized or blocked. So I had the impression the list might be not 
that up-to-date. From what sources is the list built?

Timo



Am 10.11.2015 um 06:28 schrieb Joel Esler (jesler):

We make one available for free, it’s built in, by default, to pulledpork
(the rule updater we recommend you use), also available here:

http://talosintel.com/feeds/ip-filter.blf


--
*Joel Esler*
Manager, Talos Group





On Nov 6, 2015, at 9:24 AM, Timo <snort () iu1 de <mailto:snort () iu1 de>>
wrote:

Btw: Is there a good and actual public available backlist availabe?
Searching the web I find only old and not good lists. Or only sites
allowing to check single IPs but not downloading the whole list.

Am 06.11.2015 um 16:01 schrieb Timo:

Hi,

I found the issue. When I created the blacklist and whitelist files I
copied blacklist to whitelist and forgot to remove the test IP from the
file whitelist. Sorry.
So my config works find. Just use my initial mail as guidline instead of
question :).

cheers
Timo



Am 06.11.2015 um 15:04 schrieb Evgeniy Sudyr:

If I understood you correctly then you need check

config policy_mode:tap

More details there: http://manual.snort.org/node11.html



On Fri, Nov 6, 2015 at 1:55 PM, Timo <snort () iu1 de <mailto:snort () iu1 de>
<mailto:snort () iu1 de>> wrote:

    Hi,

    this is my first post. Hope I do correct.

    I have a problem with preprocessor reputation. I set everything
up, but
    no alerts about blocked IPs. Other alerts show up fine.

    # Reputation preprocessor. For more information see
README.reputation
    preprocessor reputation: \
         memcap 500, \
         scan_local, \
         priority whitelist, \
         nested_ip both, \
         whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \
         blacklist $BLACK_LIST_PATH/iplists/default.blacklist

    default.blacklist currently contains one IP for testing. (Plain IP
    xxx.xxx.xxx.xxx.)
    default.whitelist is empty.

    I use pulledpork for rules. So all rules are in snort.rules.
    Within snort.rules there are the corresponding rules for
preprocessor
    reputation:
    alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
    metadata: rule-type preproc ; classtype:bad-unknown; )
    alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1;
    metadata: rule-type preproc ; classtype:bad-unknown; )

    For GUI I use Snorby.

    Logoutput goes to unified2:
    output unified2: filename snort.u2, limit 128

    I use barnyard to send logs to mysql:
    output database: log, mysql, user=xxxx password=xxxx dbname=xxxx
    host=localhost

    Alerts work fine for standard snort rules. Also preprocessor
alerts are
    logged. For example I had a lot of stream5 alerts in the past. I
    disabled them by using threshold.conf:
    ...
    suppress gen_id 129, sig_id 0
    ...
    #suppress gen_id 136, sig_id 0
    ...
    In order to receive alerts from repuation preprocessor I do NOT
suprees
    id 136. But there are no alerts about IPs within blacklist.

    grep 136 gen-msg.map
    136 || 1 || reputation: Packet is blacklisted
    136 || 2 || reputation: Packet is whitelisted

    This is how I run Snort:
    /usr/local/bin/snort -q -u snort -g snort -c
/etc/snort/snort.conf -i
    eth1 -D
    So it runs in IDS mode.

    What am I doing wrong? I don't want to drop blacklisted IPs. I
just want
    alerts about blacklisted IPs. I want to know, if a host contacts
a CNC
    server or something.

    Any ideas?

    Cheers
    Timo

    ------------------------------------------------------------------------------
    _______________________________________________
    Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net>
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the latest
    Snort news!




--
--
With regards,
Eugene Sudyr

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: