[Snort-devel] IP Blacklisting for Snort 2.8.4.1

Martin Roesch roesch at ...402...
Wed May 13 14:50:29 EDT 2009


Hi everyone,

I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a
preprocessor in Snort over this past weekend.  We talked about this
last week on the mailing list in regards to trying to implement
blacklisting using regular Snort rules and how well that doesn't work.
:)

This code has been tested against Snort 2.8.4.1 only.  I've tested
builds on OS X, Ubuntu and Fedora so far.  It requires libdnet (or
dumbnet-dev for those of you on Debian-based distros) to build
properly.  Check the README file that comes with it for instructions
on patching it into your codebase.  It supports inline blocking and
alerting but not Flexresp-style TCP reset session shootdowns.

Have a look and let me know what features you'd like or bugs you find.

This code is purely EXPERIMENTAL, this is just me spending some of my
spare time doing a fun coding project so if your machine sprouts legs
and refuses to work until it receives part of the TARP bailout it's
not my fault.

Here's the link:

http://www.snort.org/users/roesch/code/iplist.patch.tgz

Marty

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




More information about the Snort-devel mailing list