snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] IP Blacklisting for Snort 2.8.4.1

Re: [Snort-users] IP Blacklisting for Snort 2.8.4.1

From: Seth Art <sethsec_at_nospam>
Date: Wed May 13 2009 - 19:31:15 GMT
To: Martin Roesch <roesch@sourcefire.com>


Pretty cool!

Suggestion: Rather than enter the IP addresses into snort.conf, it might be easier to manage something like this if we reference files that include the IP lists using a predefined syntax. That way you can download community based lists daily without ever having to update snort.conf each time.

Something like this: preprocessor iplist: < noalerts > < nodrops > <directory> whitelist name <filename> blacklist name <filename> blacklist name <filename>

Ex:

preprocessor iplist: whitelist trusted /etc/snort/lists/trusted.list blacklist ET-dshield /etc/snort/lists/dshield.list blacklist ET-CC /etc/snort/lists/cc.list

 Thoughts?

On Wed, May 13, 2009 at 2:50 PM, Martin Roesch <roesch@sourcefire.com> wrote:
> Hi everyone,
>
> I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a
> preprocessor in Snort over this past weekend. We talked about this
> last week on the mailing list in regards to trying to implement
> blacklisting using regular Snort rules and how well that doesn't work.
> :)
>
> This code has been tested against Snort 2.8.4.1 only. I've tested
> builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or
> dumbnet-dev for those of you on Debian-based distros) to build
> properly. Check the README file that comes with it for instructions
> on patching it into your codebase. It supports inline blocking and
> alerting but not Flexresp-style TCP reset session shootdowns.
>
> Have a look and let me know what features you'd like or bugs you find.
>
> This code is purely EXPERIMENTAL, this is just me spending some of my
> spare time doing a fun coding project so if your machine sprouts legs
> and refuses to work until it receives part of the TARP bailout it's
> not my fault.
>
> Here's the link:
>
> http://www.snort.org/users/roesch/code/iplist.patch.tgz
>
> Marty
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users