|Main Archive Page > Month Archives > snort-users archives|
Suggestion: Rather than enter the IP addresses into snort.conf, it might be easier to manage something like this if we reference files that include the IP lists using a predefined syntax. That way you can download community based lists daily without ever having to update snort.conf each time.
Something like this: preprocessor iplist: < noalerts > < nodrops > <directory> whitelist name <filename> blacklist name <filename> blacklist name <filename>
preprocessor iplist: whitelist trusted /etc/snort/lists/trusted.list blacklist ET-dshield /etc/snort/lists/dshield.list blacklist ET-CC /etc/snort/lists/cc.list
On Wed, May 13, 2009 at 2:50 PM, Martin Roesch <firstname.lastname@example.org> wrote:
> Hi everyone,
> I wrote a patch for Snort 188.8.131.52 that implements IP blacklisting as a
> preprocessor in Snort over this past weekend. We talked about this
> last week on the mailing list in regards to trying to implement
> blacklisting using regular Snort rules and how well that doesn't work.
> This code has been tested against Snort 184.108.40.206 only. I've tested
> builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or
> dumbnet-dev for those of you on Debian-based distros) to build
> properly. Check the README file that comes with it for instructions
> on patching it into your codebase. It supports inline blocking and
> alerting but not Flexresp-style TCP reset session shootdowns.
> Have a look and let me know what features you'd like or bugs you find.
> This code is purely EXPERIMENTAL, this is just me spending some of my
> spare time doing a fun coding project so if your machine sprouts legs
> and refuses to work until it receives part of the TARP bailout it's
> not my fault.
> Here's the link:
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> Snort-users mailing list
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive: