[Snort-devel] Updated IP Blacklisting patch (version 2)
roesch at ...402...
Mon Jun 8 11:12:06 EDT 2009
I had 9 hours to kill flying back to Europe this weekend so I updated
the IP Blacklisting patch and it's now available. You can get it
I rewrote the config loader and the event generation code to support
named blacklists and loading IP lists from external files. With these
two mods you now get the blacklist name included in the event messages
when a banned IP tries to access the network AND you can load however
many blacklisted IPs you like, potentially hundreds of thousands (at
least). Check out the README.iplist file that comes with it for
config instructions. Note that whitelists do NOT take names, they're
just exceptions to the blacklist anyway.
As per usual, this has received minimal testing and NO performance
testing. May cause cramping, bowel discomfort and spontaneous
decapitation, use at your own risk, your mileage may vary, etc. It's
a small piece of code but I may have missed something, feel free to
send feedback and I'll fix it if you find anything seriously broken.
I still haven't done flexresp-style session sniping nor does it load
IPv6 addresses yet. Maybe in v3.
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
More information about the Snort-devel