[Snort-users] Blocking ip's with snort blacklist

waldo kitty wkitty42 at ...14940...
Tue Mar 26 21:48:54 EDT 2013


On 3/26/2013 16:54, Joel Esler wrote:
> In that case, yes. You'd need to be running Snort in inline mode, and you can
> set the IP rep preprocessor rule to drop.
>
> alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata:
> rule-type preproc ; classtype:bad-unknown; )
> alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata:
> rule-type preproc ; classtype:bad-unknown; )

question: why in the world would WHITELIST alerts be a classtype of bad-unknown? 
they are not "bad" are they??





More information about the Snort-users mailing list