Home page logo
/

snort logo Snort mailing list archives

Reputation preprocessor isn't blocking traffic
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Sat, 07 Dec 2013 22:04:29 -0500

Hi,

I'm running Snort 2.9.5.5 inline.  My reputation preprocessor doesn't
seem to be blocking all of the traffic that it's configured to block. 
My snort.conf contains:

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/default.whitelist, \
   blacklist $BLACK_LIST_PATH/default.blacklist

My default.whitelist file is empty.  My default.blacklist file contains
around 2600 entries, most of which come from labs.snort.org via
pulledpork, and two of which I added manually.  (I'm just realizing that
the two that I added today will probably be lost when pulledpork runs
again.  But they are currently still there.)

When snort initializes, the following messages are displayed:

Dec  7 14:11:40 sensor1 snort[14229]: Reputation config:
Dec  7 14:11:40 sensor1 snort[14229]: WARNING:
/etc/snort/snort.conf(514) => Keyword priority for whitelist is not
applied when white action is unblack.
Dec  7 14:11:40 sensor1 snort[14229]:     Processing whitelist file
/etc/snort/rules/default.whitelist
Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded: 0,
invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.whitelist)
Dec  7 14:11:40 sensor1 snort[14229]:     Processing blacklist file
/etc/snort/rules/default.blacklist
Dec  7 14:11:40 sensor1 snort[14229]:     Reputation entries loaded:
3955, invalid: 0, re-defined: 0 (from file
/etc/snort/rules/default.blacklist)
Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total memory usage:
6156928 bytes
Dec  7 14:11:40 sensor1 snort[14229]:     Reputation total entries
loaded: 3955, invalid: 0, re-defined: 0
Dec  7 14:11:40 sensor1 snort[14229]:     Memcap: 500 (Default) M bytes
Dec  7 14:11:40 sensor1 snort[14229]:     Scan local network: DISABLED
(Default)
Dec  7 14:11:40 sensor1 snort[14229]:     Reputation priority:  blacklist
Dec  7 14:11:40 sensor1 snort[14229]:     Nested IP: inner (Default)
Dec  7 14:11:40 sensor1 snort[14229]:     White action: unblack (Default)
Dec  7 14:11:40 sensor1 snort[14229]:     Shared memory is Not supported.

When snort is terminated, a non-zero "Number of packets blacklisted" is
often included in the statistics.   So, it looks like some traffic is
being blacklisted.

However, it appears that all traffic from the two addresses that I added
to the blacklist is being allowed to pass through.  The first address is
an actual source of annoying traffic.  The second is a known good
address that I blacklisted for testing.  Any ideas why the traffic is
not being blocked?

--Dave

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]