Home page logo
/

snort logo Snort mailing list archives

Re: reputation preprocessor and IDS
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Jun 2013 21:07:06 -0400

On 6/4/2013 16:17, Russ Combs wrote:
On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:
i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1
to the latest snort versions... i whitelisted a CIDR block and they still
generate alerts... specifically, we saw alerts on 129:20 when snort was
reloading after setting the CIDR block in the whitelist file and bouncing
snort with a complete exit and startup... we've also seen 128:4 when sshing
into that sensor on a non-standard port but we DO have that non-standard port
listed in the ssh config section of snort.conf... these alerts happen for
only a short time and then snort seems to settle down and stop issuing them
even though those same connections are still active or being terminated and
restarted again...

Do you have stream5_tcp: require_3whs set?  That might help reach steady
state sooner.

yes, that has been part of our config files since it was introduced...

i've just tested again an hour after the above alerts were logged and am
seeing the same alerts as noted above... the traffic is very light compared
to what many systems see... it is only a 100M internal LAN... there /may/ be
some swapping going on on that test sensor... i'm seeing 7M of swap space
currently used but i really don't think that that is getting in the way
here...

Do you have reputation: white trust set?  Default is to unblack (not trust).

ahhh... it is at the default... whitelist is the only one with any entries and 
the settings are the defaults in the distributed snort.conf... i will have to 
check that out...

the term 'unblack' seemed to mean 'treat the entry as not black if it is listed 
in the blacklist'... in other words, it is 'white' and therefore trusted... the 
documentation could use some work in this area ;)

Also, you may need to set reputation: scan_local if the alerts are on local
addresses.

well, it is a local LAN... snort is looking only at the traffic outside of its 
machine... not on its interior protected LAN... the addresses are RFC1918 but 
not within the netblock protected by snort...

eg: 192.168.100.0/24 -> sensor -> 192.168.200.0/24

the sensor's external address is 192.168.100.23/255.255.255.0 and its internal 
address is 192.168.200.1/255.255.255.0... yes, this sensor is a 
firewall/NAT_router device...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]