What comes first?



  • It seems that whitelists or blacklists are the first a packet is compared to.  But, I have a client from Taiwan that constantly has their inbound messages filtered.  I've added them to the IP whitelist and seemed to do the trick, until recently.  Their messages where blocked again.  The following rule got them.  I would think the whitelist would precede this or any rule.

    1:25460
      FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt

    Any insight is appreciated.

    Go Blue.



  • Although not stated, I assume from the question and apparent rule GID:SID given in your post that you are asking about Snort.  First, are you sure your client's IP is still the same (just double-checking …  ;) ).  The settings that are important when using the Blacklist/Whitelist options of the IP REPUTATION preprocessor in Snort are PRIORITY and WHITELIST MEANING.  Of these, the most critical is WHITELIST MEANING.  It controls what happens to an IP that is on the whitelist.  If set to the default of "Unblack", then the IP is simply not immediately blocked and is instead routed through to be compared against all the other rules.  That means it is still possible one of the other rules might block the IP.  When set to "Trust", then the traffic from that IP is passed on and skips all other Snort rules.  This means no downstream Snort rules (on that interface) will block it.  This latter may be what you want if you implicitly trust that client.  If you change any of the IP REPUTATION preprocessor settings, be sure to manually stop and restart Snort on that interface using the GUI controls on the SNORT INTERFACES tab.

    Another possibility, if you are running Snort on multiple interfaces, is another Snort instance's rule nabbed your "trusted" client.  If that is the case, then you would need to adjust settings on that Snort instance as well to honor your trusted client.

    Bill


Log in to reply