[Snort-users] Blocking ip's with snort blacklist

Joel Esler jesler at ...1935...
Tue Mar 26 17:54:39 EDT 2013


On Mar 26, 2013, at 3:29 PM, Dmitry Korzhevin <dmitry.korzhevin at ...15907...> wrote:

> Yes, i mean using blacklist ip preprocessor

In that case, yes.  You'd need to be running Snort in inline mode, and you can set the IP rep preprocessor rule to drop.

alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

(the first one)

drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

then any IP in the reputation feed would then be blocked.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130326/9df19b36/attachment.html>


More information about the Snort-users mailing list