Re: Is the reputation preprocessor still experimental?

[Russ Combs <rcombs () sourcefire com>]

Glad to hear the reputation preprocessor is working for you.  The active
response rule options are intended to be used within regular detection
rules that provide session context.  That way you can ensure that your web
page is being sent in response to an HTTP request and that it is only sent
once per session.  Those key aspects are lost when you try to use the
reputation preprocessor rule.  Is there a reason you aren't still using
your detection rule?

On Fri, Jun 15, 2012 at 8:53 AM, Guillaume Daleux <
guillaume.daleux () abovesecurity com> wrote:

> Hello,
>
> For information, we use it for two months in a preproduction environment
> and it works very well. We have only one problem with the react keyword
> which works in detection rules but not with reputation rule.
>
> preprocessor reputation: blacklist ip_reputation, scan_local
> config react: /usr/local/IDS/snort/snortIPS1/conf/block.html
>
> with rule :
>
> drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
> react; )
>
> Thanks you
>
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Thursday, June 14, 2012 5:39 PM
> To: Miguel Alvarez
> Cc: Snort Users
> Subject: Re: [Snort-users] Is the reputation preprocessor still
> experimental?
>
> On Jun 12, 2012, at 2:09 PM, Miguel Alvarez <miguellvrz9 () gmail com>
> wrote:
>
> > Hello,
> >
> > I was just looking at the README.reputation and it says that it is
> > experimental and not to be used in production environments.  Is that
> > still the case?
> It's still experimental, and there are more improvements to it in the
> next version of Snort, however, we need as many people to test it as
> possible.
>
> Thanks.
>
> Joel
>
>
>
> ------------------------------------------------------------------------
> ------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
> Discussions
> will include endpoint security, mobile security and the latest in
> malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!