snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Blacklisting for Snort 2.8.4.1

Re: [Snort-users] Blacklisting for Snort 2.8.4.1

From: Martin Roesch <roesch_at_nospam>
Date: Thu May 14 2009 - 02:45:21 GMT
To: Jimmy Tharel <jtharel@yahoo.com>


Hi Jimmy,

I don't have any plans to add flexresp support at this time, doing it inline is a much more sure solution than trying to do a TCP session snipe and has a much greater chance of success (100%) as well. If someone can make a convincing use case then it could be a future feature though.

Marty

On Wed, May 13, 2009 at 10:22 PM, Jimmy Tharel <jtharel@yahoo.com> wrote:
>
> Message: 1
> Date: Wed, 13 May 2009 14:50:29 -0400
> From: Martin Roesch <roesch@sourcefire.com>
> Subject: [Snort-users] IP Blacklisting for Snort 2.8.4.1
> To: Snort-users <snort-users@lists.sourceforge.net>,
> snort-devel@lists.sourceforge.net
> Message-ID:
> <98fce1870905131150i4098c2ccodfd20acfaece9764@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi everyone,
>
> I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a
> preprocessor in Snort over this past weekend. We talked about this
> last week on the mailing list in regards to trying to implement
> blacklisting using regular Snort rules and how well that doesn't work.
> :)
>
> This code has been tested against Snort 2.8.4.1 only. I've tested
> builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or
> dumbnet-dev for those of you on Debian-based distros) to build
> properly. Check the README file that comes with it for instructions
> on patching it into your codebase. It supports inline blocking and
> alerting but not Flexresp-style TCP reset session shootdowns.
>
> Have a look and let me know what features you'd like or bugs you find.
>
> This code is purely EXPERIMENTAL, this is just me spending some of my
> spare time doing a fun coding project so if your machine sprouts legs
> and refuses to work until it receives part of the TARP bailout it's
> not my fault.
>
> Here's the link:
>
> http://www.snort.org/users/roesch/code/iplist.patch.tgz
>
> Marty
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
>
>
> Are there any plans to include Flexresp TCP Resets for this in the Future?
> That would be a great feature for me! :-)
>
> Jimmy
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users