Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blacklist not working

From: Hui cao <huica () cisco com>
Date: Mon, 10 Aug 2015 15:28:26 -0400
Hi Charlie,
Blacklist rules are different from IP blacklists. In order to make this work, you should enable stream preprocessor and enable the preprocessor alerts for blacklist (136:1). If you still have this issue, can you provide the snort output? 

Best,
Hui.

On 08/06/2015 04:54 AM, Charlie wrote:


Hi
I am using to use Snort 2.9.7.5 with barnyard2-1.13 on a Linux RaspberryPI2 3.18.11-v7+ 

In my snort.conf, I have:
var RULE_PATH /usr/local/snort/rules
...
var WHITE_LIST_PATH /usr/local/snort/rules/iplists
var BLACK_LIST_PATH /usr/local/snort/rules/iplists
...
preprocessor reputation: \
   memcap 500, \
   scan_local, \
   priority blacklist, \
   nested_ip inner, \
   blacklist $BLACK_LIST_PATH/default.blacklist
...
include $RULE_PATH/blacklist.rules

/usr/local/snort/rules/iplists/*default.blacklist* contains:
1.160.114.65
1.174.194.40
1.234.245.2
*...*

/usr/local/snort/rules/*blacklist.rules* contains:
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;) 
*...*

if I try to ping 1.160.114.65, no alert is reported by snort
if I try in a browser datajunction.org (-or- datajunction.org:53), I can see the kapersky lab home page and no alert is reported by snort 

So now I am suspicious the the blacklist function is not working but why?
How would you test the blacklist function?

Thanks in advance






------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: