Snort mailing list archives
Problem with reputation preprocessor in snort version 2.9.8.0 ??
From: Timo <snort () iu1 de>
Date: Wed, 9 Dec 2015 11:03:59 +0100
Hi, i just updated from Snort 2.9.7.6 to 2.9.8.0 (did the update from one to another machine - but same OS - Ubuntu 14 LTS). I copied the configuration from old version to new version. Everything seems to work but the reputation preprocessor. I receive absolutly no alerts about IPs listed in my ipblacklist. I also tested with "/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -A console". Rules alert fine, but blocked IPs not. Is there a known issue with reputation preprocessor in this version? This is my config: # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ scan_local, \ priority whitelist, \ nested_ip both, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/iplists/default.whitelist, \ blacklist $BLACK_LIST_PATH/iplists/default.blacklist, \ blacklist $BLACK_LIST_PATH/iplists/additional.blacklist default.whitelist is empty. default.blacklist is around 588KB additional.blacklist is around 360KB gen-msg.map: ... 136 || 1 || reputation: Packet is blacklisted 136 || 2 || reputation: Packet is whitelisted ... threshold.conf: #suppress gen_id 129, sig_id 12 #suppress gen_id 129, sig_id 15 suppress gen_id 105, sig_id 0 suppress gen_id 106, sig_id 0 suppress gen_id 112, sig_id 0 suppress gen_id 116, sig_id 0 suppress gen_id 119, sig_id 0 suppress gen_id 120, sig_id 0 suppress gen_id 122, sig_id 0 suppress gen_id 123, sig_id 0 suppress gen_id 124, sig_id 0 suppress gen_id 125, sig_id 0 suppress gen_id 126, sig_id 0 suppress gen_id 127, sig_id 0 suppress gen_id 128, sig_id 0 suppress gen_id 129, sig_id 0 suppress gen_id 131, sig_id 0 suppress gen_id 132, sig_id 0 suppress gen_id 133, sig_id 0 suppress gen_id 134, sig_id 0 #suppress gen_id 136, sig_id 0 suppress gen_id 137, sig_id 0 suppress gen_id 139, sig_id 0 suppress gen_id 140, sig_id 0 suppress gen_id 141, sig_id 0 suppress gen_id 142, sig_id 0 suppress gen_id 143, sig_id 0 suppress gen_id 1, sig_id 1852 cheers Timo ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with reputation preprocessor in snort version 2.9.8.0 ?? Timo (Dec 09)