IP reputation inspector – alerts and pegs
The IP reputation inspector can generate the following alerts, as shown by the --help-module command:
./build/src/snort --help-module reputation Rules: 136:1 (reputation) packets blocked based on source 136:2 (reputation) packets trusted based on source 136:3 (reputation) packets monitored based on source 136:4 (reputation) packets blocked based on destination 136:5 (reputation) packets trusted based on destination 136:6 (reputation) packets monitored based on destination
We have to put a stub rule in the rules file to enable any of the preceding alerts that we need. For example, in order to enable alerting when the inspector blocks a packet based on source IP address, we will have this rule in our rules file:
alert ( gid:136; sid:1; msg:"(reputation) packets blocked based on source"; priority:3; )
The IP reputation inspector module creates alerts when a packet is blocked. The alert will be created in the format specified...
