[Snort-devel] [Snort-users] Updated IP Blacklisting patch (version 2)

Martin Roesch roesch at ...402...
Tue Jun 16 09:44:47 EDT 2009


I haven't tried it with 2.8.5 yet, I'll try it out and see what happens RSN.

Marty

On Tue, Jun 16, 2009 at 2:00 AM, Luis Daniel Lucio
Quiroz<luis.daniel.lucio at ...2499...> wrote:
> Le lundi 8 juin 2009 17:12:06, Martin Roesch a écrit :
>> Hey everyone,
>>
>> I had 9 hours to kill flying back to Europe this weekend so I updated
>> the IP Blacklisting patch and it's now available.  You can get it
>> here:
>>
>> http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz
>>
>> What's new?
>>
>> I rewrote the config loader and the event generation code to support
>> named blacklists and loading IP lists from external files.  With these
>> two mods you now get the blacklist name included in the event messages
>> when a banned IP tries to access the network AND you can load however
>> many blacklisted IPs you like, potentially hundreds of thousands (at
>> least).  Check out the README.iplist file that comes with it for
>> config instructions.  Note that whitelists do NOT take names, they're
>> just exceptions to the blacklist anyway.
>>
>> As per usual, this has received minimal testing and NO performance
>> testing.  May cause cramping, bowel discomfort and spontaneous
>> decapitation, use at your own risk, your mileage may vary, etc.  It's
>> a small piece of code but I may have missed something, feel free to
>> send feedback and I'll fix it if you find anything seriously broken.
>>
>> I still haven't done flexresp-style session sniping nor does it load
>> IPv6 addresses yet.  Maybe in v3.
>>
>> Enjoy!
>>
>> Marty
>
> Has tryed with 2.8.5 beta?
>



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




More information about the Snort-devel mailing list