Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reputation Preprocessor

From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 13 Oct 2013 15:19:21 -0600

On Oct 13, 2013, at 9:29 AM, setests setests <setests () gmail com> wrote:


Hi

Is it possible to add threshold and/or flow bits to black listed IP while using Reputation preprocessor ?
------------------------------------------------------------------------------



Yea so far event filtering reputation is interesting.  You can either whitelist the IP (in the default.whitelist from 
README.reputation) or event_filter gid/sid 136:1.  So far the issue I'm running into is that I want to see both 
incoming AND outgoing reputation…but say one per hour.  Currently if I'm connected to say a blacklisted Tor node, I get 
tons of these in an instant since I can event_filter track by_src OR by_dest, but not both.

James

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: