Snort mailing list archives
Re: Blacklisting for Snort 2.8.4.1
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 13 May 2009 22:45:21 -0400
Hi Jimmy, I don't have any plans to add flexresp support at this time, doing it inline is a much more sure solution than trying to do a TCP session snipe and has a much greater chance of success (100%) as well. If someone can make a convincing use case then it could be a future feature though. Marty On Wed, May 13, 2009 at 10:22 PM, Jimmy Tharel <jtharel () yahoo com> wrote:
Message: 1 Date: Wed, 13 May 2009 14:50:29 -0400 From: Martin Roesch <roesch () sourcefire com> Subject: [Snort-users] IP Blacklisting for Snort 2.8.4.1 To: Snort-users <snort-users () lists sourceforge net>, snort-devel () lists sourceforge net Message-ID: <98fce1870905131150i4098c2ccodfd20acfaece9764 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Hi everyone, I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a preprocessor in Snort over this past weekend. We talked about this last week on the mailing list in regards to trying to implement blacklisting using regular Snort rules and how well that doesn't work. :) This code has been tested against Snort 2.8.4.1 only. I've tested builds on OS X, Ubuntu and Fedora so far. It requires libdnet (or dumbnet-dev for those of you on Debian-based distros) to build properly. Check the README file that comes with it for instructions on patching it into your codebase. It supports inline blocking and alerting but not Flexresp-style TCP reset session shootdowns. Have a look and let me know what features you'd like or bugs you find. This code is purely EXPERIMENTAL, this is just me spending some of my spare time doing a fun coding project so if your machine sprouts legs and refuses to work until it receives part of the TARP bailout it's not my fault. Here's the link: http://www.snort.org/users/roesch/code/iplist.patch.tgz Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org Are there any plans to include Flexresp TCP Resets for this in the Future? That would be a great feature for me! :-) Jimmy ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Blacklisting for Snort 2.8.4.1 Jimmy Tharel (May 13)
- Re: Blacklisting for Snort 2.8.4.1 Martin Roesch (May 13)