[Snort-users] IP Blacklisting for Snort 2.8.4.1

Seth Art sethsec at ...11827...
Wed May 13 15:31:15 EDT 2009


Pretty cool!

Suggestion: Rather than enter the IP addresses into snort.conf, it
might be easier to manage something like this if we reference files
that include the IP lists using a predefined syntax.  That way you can
download community based lists daily without ever having to update
snort.conf each time.

Something like this:

preprocessor iplist: < noalerts > < nodrops > <directory>
                    whitelist name <filename>
                    blacklist name <filename>
                    blacklist name <filename>

Ex:

preprocessor iplist:
                    whitelist trusted /etc/snort/lists/trusted.list
                    blacklist ET-dshield /etc/snort/lists/dshield.list
                    blacklist ET-CC /etc/snort/lists/cc.list

 Thoughts?


On Wed, May 13, 2009 at 2:50 PM, Martin Roesch <roesch at ...1935...> wrote:
> Hi everyone,
>
> I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a
> preprocessor in Snort over this past weekend.  We talked about this
> last week on the mailing list in regards to trying to implement
> blacklisting using regular Snort rules and how well that doesn't work.
> :)
>
> This code has been tested against Snort 2.8.4.1 only.  I've tested
> builds on OS X, Ubuntu and Fedora so far.  It requires libdnet (or
> dumbnet-dev for those of you on Debian-based distros) to build
> properly.  Check the README file that comes with it for instructions
> on patching it into your codebase.  It supports inline blocking and
> alerting but not Flexresp-style TCP reset session shootdowns.
>
> Have a look and let me know what features you'd like or bugs you find.
>
> This code is purely EXPERIMENTAL, this is just me spending some of my
> spare time doing a fun coding project so if your machine sprouts legs
> and refuses to work until it receives part of the TARP bailout it's
> not my fault.
>
> Here's the link:
>
> http://www.snort.org/users/roesch/code/iplist.patch.tgz
>
> Marty
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list