[Snort-users] Blacklisting for Snort 18.104.22.168
jtharel at ...131...
Wed May 13 22:22:51 EDT 2009
Date: Wed, 13 May 2009 14:50:29 -0400
From: Martin Roesch <roesch at ...1935...>
Subject: [Snort-users] IP Blacklisting for Snort 22.214.171.124
To: Snort-users <snort-users at lists.sourceforge.net>,
snort-devel at lists.sourceforge.net
<98fce1870905131150i4098c2ccodfd20acfaece9764 at ...11828...>
Content-Type: text/plain; charset=ISO-8859-1
I wrote a patch for Snort 126.96.36.199 that implements IP blacklisting as a
preprocessor in Snort over this past weekend. We talked about this
last week on the mailing list in regards to trying to implement
blacklisting using regular Snort rules and how well that doesn't work.
This code has been tested against Snort 188.8.131.52 only. I've tested
builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or
dumbnet-dev for those of you on Debian-based distros) to build
properly. Check the README file that comes with it for instructions
on patching it into your codebase. It supports inline blocking and
alerting but not Flexresp-style TCP reset session shootdowns.
Have a look and let me know what features you'd like or bugs you find.
This code is purely EXPERIMENTAL, this is just me spending some of my
spare time doing a fun coding project so if your machine sprouts legs
and refuses to work until it receives part of the TARP bailout it's
not my fault.
Here's the link:
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
Are there any plans to include Flexresp TCP Resets for this in the Future?
That would be a great feature for me! :-)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users