Snort mailing list archives
Re: Does Snort support country blocking
From: JJC <cummingsj () gmail com>
Date: Wed, 6 Mar 2013 11:24:06 -0700
snippet from README.reputation: IP List File Format Syntax The IP list file has 1 entry per line. The entry can be either IP entry or comment. IP Entry CIDR notation <comments> line break Example: 172.16.42.32/32 Comment # <comments> Example: # This is a full line comment IP List File Example ---------------------- # This is a full line comment 172.16.42.32/32 # This is an inline comment, line with single CIDR block Use case A user wants to protect his/her network from unwanted/unknown IPs, only allowing some trusted IPs. Here is the configuration: preprocessor reputation: \ blacklist /etc/snort/default.blacklist whitelist /etc/snort/default.whitelist In file "default.blacklist" # These two entries will match all ipv4 addresses 1.0.0.0/1 128.0.0.0/1 In file "default.whitelist" 68.177.102.22 # sourcefire.com 74.125.93.104 # google.com On Wed, Mar 6, 2013 at 11:21 AM, Ricky Huang <rhuang.work () gmail com> wrote:
Looking at the file it seems it is just a text list of individual IPs - does it support range syntax like "[]", "-", or "*"? On Mar 6, 2013, at 10:18 AM, JJC <cummingsj () gmail com> wrote: That is correct On Wed, Mar 6, 2013 at 11:15 AM, Ricky Huang <rhuang.work () gmail com> wrote: On Mar 6, 2013, at 9:22 AM, JJC <cummingsj () gmail com> wrote: You can add entire CIDR blocks of the offending countries to your IP Rep preprocessor […] Does IP Rep preprocessor refer to the IP blacklist rules file?
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Does Snort support country blocking Ricky Huang (Mar 06)
- Re: Does Snort support country blocking JJC (Mar 06)
- Re: Does Snort support country blocking Ricky Huang (Mar 06)
- Re: Does Snort support country blocking JJC (Mar 06)
- Re: Does Snort support country blocking Ricky Huang (Mar 06)
- Re: Does Snort support country blocking JJC (Mar 06)
- Re: Does Snort support country blocking Ricky Huang (Mar 06)
- Re: Does Snort support country blocking JJC (Mar 06)