[Snort-users] Does Snort support country blocking

JJC cummingsj at ...11827...
Wed Mar 6 13:24:06 EST 2013


snippet from README.reputation:

IP List File Format

  Syntax
    The IP list file has 1 entry per line. The entry can be either IP entry or
    comment.

  IP Entry
    CIDR notation <comments> line break
    Example:
      172.16.42.32/32

  Comment
    # <comments>
    Example:
      # This is a full line comment

  IP List File Example
    ----------------------
    # This is a full line comment
    172.16.42.32/32    # This is an inline comment, line with single CIDR block

Use case

  A user wants to protect his/her network from unwanted/unknown IPs, only
  allowing some trusted IPs. Here is the configuration:

  preprocessor reputation: \
        blacklist /etc/snort/default.blacklist
        whitelist /etc/snort/default.whitelist

  In file "default.blacklist"
        # These two entries will match all ipv4 addresses
        1.0.0.0/1
        128.0.0.0/1

  In file "default.whitelist"
        68.177.102.22 # sourcefire.com
        74.125.93.104 # google.com

On Wed, Mar 6, 2013 at 11:21 AM, Ricky Huang <rhuang.work at ...11827...> wrote:
> Looking at the file it seems it is just a text list of individual IPs - does
> it support range syntax like "[]", "-", or "*"?
>
>
> On Mar 6, 2013, at 10:18 AM, JJC <cummingsj at ...11827...> wrote:
>
> That is correct
>
> On Wed, Mar 6, 2013 at 11:15 AM, Ricky Huang <rhuang.work at ...11827...> wrote:
>
> On Mar 6, 2013, at 9:22 AM, JJC <cummingsj at ...11827...> wrote:
>
> You can add entire CIDR blocks of the offending countries to your IP
> Rep preprocessor […]
>
>
> Does IP Rep preprocessor refer to the IP blacklist rules file?
>
>
>




More information about the Snort-users mailing list