Reputation Preprocessor

Examples alert udp any any -> any 5060 (sip_body; content:"C=IN 0.0.0.0"; within 100;) pcre SIP overloads two options for pcre: – H: Match SIP header for request or response , Similar to sip header. – P: Match SIP body for request or response , Similar to sip body. Examples alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;) alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;) 2.2.19 Reputation Preprocessor Reputation preprocessor provides basic IP blacklist/whitelist capabilities, to block/drop/pass traffic from IP addresses listed. In the past, we use standard Snort rules to implement Reputation-based IP blocking. This preprocessor will address the performance issue and make the IP reputation management easier. This preprocessor runs before other preprocessors. Configuration The preprocessor configuration name is repuation. preprocessor reputation Option syntax Option Argument Required Default memcap NO memcap 500 scan local NONE NO OFF blacklist NO NONE whitelist NO NONE priority [blacklist whitelist] NO priority whitelist nested ip [inner outer both] NO nested ip inner white [unblack trust] NO white unblack memcap = 1-4095 Mbytes Option explanations memcap Maximum total memory supported. It can be set up to 4095 Mbytes. scan local Enable to inspect local address defined in RFC 1918: 10.0.0.0 -10.255.255.255 (10/8 prefix) 118 172.16.0.0 -172.31.255.255 (172.16/12 prefix) 192.168.0.0 -192.168.255.255 (192.168/16 prefix) blacklist/whitelist The IP lists are loaded from external files. It supports relative paths for inclusion and $variables for path. Multiple blacklists or whitelists are supported. Note: if the same IP is redefined later, it will overwrite the previous one. In other words, IP lists always favors the last file or entry processed. priority Specify either blacklist or whitelist has higher priority when source/destination is on blacklist while destination/source is on whitelist. By default,...