snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] Blacklisting for Snort

[Snort-users] Blacklisting for Snort

From: Jimmy Tharel <jtharel_at_nospam>
Date: Thu May 14 2009 - 02:22:51 GMT

Message: 1
Date: Wed, 13 May 2009 14:50:29 -0400
From: Martin Roesch <> Subject: [Snort-users] IP Blacklisting for Snort To: Snort-users <>,

    <> Content-Type: text/plain; charset=ISO-8859-1

Hi everyone,

I wrote a patch for Snort that implements IP blacklisting as a preprocessor in Snort over this past weekend. We talked about this last week on the mailing list in regards to trying to implement blacklisting using regular Snort rules and how well that doesn't work. :)

This code has been tested against Snort only. I've tested builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or dumbnet-dev for those of you on Debian-based distros) to build properly. Check the README file that comes with it for instructions on patching it into your codebase. It supports inline blocking and alerting but not Flexresp-style TCP reset session shootdowns.

Have a look and let me know what features you'd like or bugs you find.

This code is purely EXPERIMENTAL, this is just me spending some of my spare time doing a fun coding project so if your machine sprouts legs and refuses to work until it receives part of the TARP bailout it's not my fault.

Here's the link:

Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - Snort: Open Source IDP - Are there any plans to include Flexresp TCP Resets for this in the Future? That would be a great feature for me! :-) Jimmy

------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled.

_______________________________________________ Snort-users mailing list Go to this URL to change user options or unsubscribe: Snort-users list archive: