snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] Blacklisting for Snort 2.8.4.1

[Snort-users] Blacklisting for Snort 2.8.4.1

From: Jimmy Tharel <jtharel_at_nospam>
Date: Thu May 14 2009 - 02:22:51 GMT
To: snort-users@lists.sourceforge.net

Message: 1
Date: Wed, 13 May 2009 14:50:29 -0400
From: Martin Roesch <roesch@sourcefire.com> Subject: [Snort-users] IP Blacklisting for Snort 2.8.4.1 To: Snort-users <snort-users@lists.sourceforge.net>,

    snort-devel@lists.sourceforge.net
Message-ID:

    <98fce1870905131150i4098c2ccodfd20acfaece9764@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1

Hi everyone,

I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a preprocessor in Snort over this past weekend. We talked about this last week on the mailing list in regards to trying to implement blacklisting using regular Snort rules and how well that doesn't work. :)

This code has been tested against Snort 2.8.4.1 only. I've tested builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or dumbnet-dev for those of you on Debian-based distros) to build properly. Check the README file that comes with it for instructions on patching it into your codebase. It supports inline blocking and alerting but not Flexresp-style TCP reset session shootdowns.

Have a look and let me know what features you'd like or bugs you find.

This code is purely EXPERIMENTAL, this is just me spending some of my spare time doing a fun coding project so if your machine sprouts legs and refuses to work until it receives part of the TARP bailout it's not my fault.

Here's the link:

http://www.snort.org/users/roesch/code/iplist.patch.tgz

Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org Are there any plans to include Flexresp TCP Resets for this in the Future? That would be a great feature for me! :-) Jimmy

------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users