Configuration

The preprocessor configuration name is repuation.

    preprocessor reputation

Option syntax

Option	Argument	Required	Default
memcap	<memcap>	NO	memcap 500
scan_local	NONE	NO	OFF
blacklist	<list file name>	NO	NONE
whitelist	<list file name>	NO	NONE
priority	[blacklist whitelist]	NO	priority whitelist
nested_ip	[inner outer both]	NO	nested_ip inner
white	[unblack trust]	NO	white unblack

     memcap        = 1-4095 Mbytes

Option explanations

memcap

Maximum total memory supported. It can be set up to 4095 Mbytes.

scan_local

Enable to inspect local address defined in RFC 1918:

10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

blacklist/whitelist

The IP lists are loaded from external files. It supports relative paths for inclusion and $variables for path. Multiple blacklists or whitelists are supported.

Note: if the same IP is redefined later, it will overwrite the previous one. In other words, IP lists always favors the last file or entry processed.

priority

Specify either blacklist or whitelist has higher priority when source/destination is on blacklist while destination/source is on whitelist. By default, whitelist has higher priority. In other words, the packet will be passed when either source or destination is whitelisted.

Note: this only defines priority when there is a decision conflict, during run-time. During initialization time, if the same IP address is defined in whitelist and blacklist, whoever the last one defined will be the final one. Priority does not work on this case.

nested_ip

Specify which IP address to be used when there is IP encapsulation.

white

Specify the meaning of whitelist. When white means unblack, it unblacks IPs that are in blacklists; when white means trust, the packet gets bypassed, without further detection by snort. You can only specify either unblack or trust.

Note: when white means unblack, whitelist always has higher priority than blacklist.

Configuration examples

    preprocessor reputation:\ 
                   blacklist /etc/snort/default.blacklist, \
                   whitelist /etc/snort/default.whitelist
   
    preprocessor reputation: \
                   nested_ip both, \
                   blacklist /etc/snort/default.blacklist, \
                   whitelist /etc/snort/default.whitelist
   
    preprocessor reputation: \
                   memcap  4095, scan_local, nested_ip both, \
                   priority whitelist,  \
                   blacklist /etc/snort/default.blacklist, \
                   whitelist /etc/snort/default.whitelist,
                   white trust
   
    $REP_BLACK_FILE1 = ../dshield.list
    $REP_BLACK_FILE2 = ../snort.org.list
    preprocessor reputation: \
                blacklist $REP_BLACK_FILE1,\
                blacklist $REP_BLACK_FILE2

IP List File Format

Syntax

The IP list file has 1 entry per line. The entry can be either IP entry or comment.

IP Entry

CIDR notation $<$comments$>$ line break.

Example:

     172.16.42.32/32
     172.33.42.32/16

Comment

The comment start with #

# $<$comments$>$

Example

    #  This is a full line comment
    172.33.42.32/16    # This is a in-line comment

IP List File Example

    # This is a full line comment
    172.16.42.32/32    # This is an inline comment, line with single CIDR block
    172.33.42.32/16

Use case

A user wants to protect his/her network from unwanted/unknown IPs, only allowing some trusted IPs. Here is the configuration:

  
  preprocessor reputation: \
        blacklist /etc/snort/default.blacklist
        whitelist /etc/snort/default.whitelist
  
  In file "default.blacklist"
        # These two entries will match all ipv4 addresses  
        1.0.0.0/1  
        128.0.0.0/1
  
  In file "default.whitelist"
        68.177.102.22 # sourcefire.com
        74.125.93.104 # google.com