[Snort-users] [Snort-devel] blacklist file for reputation processor

Joel Esler jesler at ...1935...
Thu Jul 21 16:13:35 EDT 2011


On Jul 21, 2011, at 3:51 PM, Matthew Jonkman wrote:

> Can we feed categories or anything in there, or is this just blocking?
> 

Expand on what you mean here.  We have some future improvements planned for the preprocessor, but I am not sure what you mean here.


> Will rule directive be coming so we can query reputation within a stream?
> 

Again, expand on what you mean.  The IP preprocessor takes place before any other preprocessor, and before the rules.  

J


> Thanks Steve!
> 
> Matt
> 
> 
> On Jul 21, 2011, at 3:49 PM, Steven Sturges wrote:
> 
>> The preprocessor has a config setting to ignore RFC1918 addresses,
>> so no need to whitelist.
>> 
>> Of course you can also blacklist your 192.168.1.1 router if
>> you really want to.  ;)
>> 
>> -steve
>> 
>> On 7/21/11 3:40 PM, Will Metcalf wrote:
>>> Perhaps you should white-list RFC1918 addresses as well there are 10.
>>> and 192.168. addy's in those lists. Emerging Threats has a list as
>>> well..
>>> 
>>> http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
>>> 
>>> Regards,
>>> 
>>> Will
>>> 
>>> 2011/7/21 Alex Kirk<akirk at ...1935...>:
>>>> There is a somewhat experimental IP blacklist available at
>>>> http://labs.snort.org/iplists/, updated on a daily basis. Those IP addresses
>>>> are things that are touched by the VRT's malware farm - and while we've done
>>>> some basic whitelisting (i.e. google.com's IP shouldn't show up in there),
>>>> simply importing those lists and blocking them wholesale would probably be a
>>>> bad idea. I would suggest cross-referencing those lists with other IP
>>>> reputation blacklists available on the Internet.
>>>> Sourcefire is examining more "turn-key" list solutions for the future, but
>>>> for the time being this experimental list is all we have available.
>>>> 
>>>> 2011/7/20 김무성<kimms at ...14610...>
>>>>> 
>>>>> Hello list.
>>>>> 
>>>>> I saw that release snort-2.9.1 RC.
>>>>> 
>>>>> There are some new function that added. It’s awesome.
>>>>> 
>>>>> One of them, ip reputation processor, it’s good idea.
>>>>> 
>>>>> 
>>>>> 
>>>>> But important thing is a blacklist. Real blacklist.
>>>>> 
>>>>> Is there a blacklist which sourcefire provide to public?
>>>>> 
>>>>> Where can I get this list?
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> 10 Tips for Better Web Security
>>>>> Learn 10 ways to better secure your business today. Topics covered
>>>>> include:
>>>>> Web security, SSL, hacker attacks&  Denial of Service (DoS), private keys,
>>>>> security Microsoft Exchange, secure Instant Messaging, and much more.
>>>>> http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Alex Kirk
>>>> AEGIS Program Lead
>>>> Sourcefire Vulnerability Research Team
>>>> +1-410-423-1937
>>>> alex.kirk at ...1935...
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> 5 Ways to Improve&  Secure Unified Communications
>>>> Unified Communications promises greater efficiencies for business. UC can
>>>> improve internal communications as well as offer faster, more efficient ways
>>>> to interact with customers and streamline customer service. Learn more!
>>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>> 
>>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> 5 Ways to Improve&  Secure Unified Communications
>>> Unified Communications promises greater efficiencies for business. UC can
>>> improve internal communications as well as offer faster, more efficient ways
>>> to interact with customers and streamline customer service. Learn more!
>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>> ------------------------------------------------------------------------------
>> 5 Ways to Improve & Secure Unified Communications
>> Unified Communications promises greater efficiencies for business. UC can 
>> improve internal communications as well as offer faster, more efficient ways
>> to interact with customers and streamline customer service. Learn more!
>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please see http://www.snort.org/docs for documentation
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> 5 Ways to Improve & Secure Unified Communications
> Unified Communications promises greater efficiencies for business. UC can 
> improve internal communications as well as offer faster, more efficient ways
> to interact with customers and streamline customer service. Learn more!
> http://www.accelacomm.com/jaw/sfnl/114/51426253/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-users mailing list