Snort mailing list archives
Re: [Snort-users] blacklist file for reputation processor
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 21 Jul 2011 16:13:35 -0400
On Jul 21, 2011, at 3:51 PM, Matthew Jonkman wrote:
Can we feed categories or anything in there, or is this just blocking?
Expand on what you mean here. We have some future improvements planned for the preprocessor, but I am not sure what you mean here.
Will rule directive be coming so we can query reputation within a stream?
Again, expand on what you mean. The IP preprocessor takes place before any other preprocessor, and before the rules. J
Thanks Steve! Matt On Jul 21, 2011, at 3:49 PM, Steven Sturges wrote:The preprocessor has a config setting to ignore RFC1918 addresses, so no need to whitelist. Of course you can also blacklist your 192.168.1.1 router if you really want to. ;) -steve On 7/21/11 3:40 PM, Will Metcalf wrote:Perhaps you should white-list RFC1918 addresses as well there are 10. and 192.168. addy's in those lists. Emerging Threats has a list as well.. http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt Regards, Will 2011/7/21 Alex Kirk<akirk () sourcefire com>:There is a somewhat experimental IP blacklist available at http://labs.snort.org/iplists/, updated on a daily basis. Those IP addresses are things that are touched by the VRT's malware farm - and while we've done some basic whitelisting (i.e. google.com's IP shouldn't show up in there), simply importing those lists and blocking them wholesale would probably be a bad idea. I would suggest cross-referencing those lists with other IP reputation blacklists available on the Internet. Sourcefire is examining more "turn-key" list solutions for the future, but for the time being this experimental list is all we have available. 2011/7/20 김무성<kimms () infosec co kr>Hello list. I saw that release snort-2.9.1 RC. There are some new function that added. It’s awesome. One of them, ip reputation processor, it’s good idea. But important thing is a blacklist. Real blacklist. Is there a blacklist which sourcefire provide to public? Where can I get this list? ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks& Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com ------------------------------------------------------------------------------ 5 Ways to Improve& Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ 5 Ways to Improve& Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ 5 Ways to Improve & Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 866-504-2523 x110 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ 5 Ways to Improve & Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ 5 Ways to Improve & Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- blacklist file for reputation processor 김무성 (Jul 20)
- Re: blacklist file for reputation processor Alex Kirk (Jul 21)
- Re: blacklist file for reputation processor Will Metcalf (Jul 21)
- Re: blacklist file for reputation processor Steven Sturges (Jul 21)
- Re: [Snort-users] blacklist file for reputation processor Matthew Jonkman (Jul 21)
- Re: [Snort-users] blacklist file for reputation processor Joel Esler (Jul 21)
- Re: [Snort-users] blacklist file for reputation processor Pablo (Jul 21)
- Re: [Snort-users] blacklist file for reputation processor 김무성 (Jul 26)
- building a local IP reputation 김무성 (Jul 26)
- Re: [Snort-users] blacklist file for reputation processor Matthew Jonkman (Jul 26)
- Re: blacklist file for reputation processor Will Metcalf (Jul 21)
- Re: blacklist file for reputation processor Alex Kirk (Jul 21)
- Re: blacklist file for reputation processor Will Metcalf (Jul 21)