mailing list archives
Re: reputation preprocessor and IDS
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Jun 2013 21:07:06 -0400
On 6/4/2013 16:17, Russ Combs wrote:
On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:
i'll have to dig and see if there is/was a bug that was fixed from 18.104.22.168
to the latest snort versions... i whitelisted a CIDR block and they still
generate alerts... specifically, we saw alerts on 129:20 when snort was
reloading after setting the CIDR block in the whitelist file and bouncing
snort with a complete exit and startup... we've also seen 128:4 when sshing
into that sensor on a non-standard port but we DO have that non-standard port
listed in the ssh config section of snort.conf... these alerts happen for
only a short time and then snort seems to settle down and stop issuing them
even though those same connections are still active or being terminated and
Do you have stream5_tcp: require_3whs set? That might help reach steady
yes, that has been part of our config files since it was introduced...
i've just tested again an hour after the above alerts were logged and am
seeing the same alerts as noted above... the traffic is very light compared
to what many systems see... it is only a 100M internal LAN... there /may/ be
some swapping going on on that test sensor... i'm seeing 7M of swap space
currently used but i really don't think that that is getting in the way
Do you have reputation: white trust set? Default is to unblack (not trust).
ahhh... it is at the default... whitelist is the only one with any entries and
the settings are the defaults in the distributed snort.conf... i will have to
check that out...
the term 'unblack' seemed to mean 'treat the entry as not black if it is listed
in the blacklist'... in other words, it is 'white' and therefore trusted... the
documentation could use some work in this area ;)
Also, you may need to set reputation: scan_local if the alerts are on local
well, it is a local LAN... snort is looking only at the traffic outside of its
machine... not on its interior protected LAN... the addresses are RFC1918 but
not within the netblock protected by snort...
eg: 192.168.100.0/24 -> sensor -> 192.168.200.0/24
the sensor's external address is 192.168.100.23/255.255.255.0 and its internal
address is 192.168.200.1/255.255.255.0... yes, this sensor is a
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!