[Snort-users] IP Blacklisting for Snort 220.127.116.11
roesch at ...1935...
Wed May 13 14:50:29 EDT 2009
I wrote a patch for Snort 18.104.22.168 that implements IP blacklisting as a
preprocessor in Snort over this past weekend. We talked about this
last week on the mailing list in regards to trying to implement
blacklisting using regular Snort rules and how well that doesn't work.
This code has been tested against Snort 22.214.171.124 only. I've tested
builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or
dumbnet-dev for those of you on Debian-based distros) to build
properly. Check the README file that comes with it for instructions
on patching it into your codebase. It supports inline blocking and
alerting but not Flexresp-style TCP reset session shootdowns.
Have a look and let me know what features you'd like or bugs you find.
This code is purely EXPERIMENTAL, this is just me spending some of my
spare time doing a fun coding project so if your machine sprouts legs
and refuses to work until it receives part of the TARP bailout it's
not my fault.
Here's the link:
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
More information about the Snort-users