Snort mailing list archives

Re: Does Snort support country blocking

From: JJC <cummingsj () gmail com>
Date: Wed, 6 Mar 2013 11:24:06 -0700

snippet from README.reputation:

IP List File Format

  Syntax
    The IP list file has 1 entry per line. The entry can be either IP entry or
    comment.

  IP Entry
    CIDR notation <comments> line break
    Example:
      172.16.42.32/32

  Comment
    # <comments>
    Example:
      # This is a full line comment

  IP List File Example
    ----------------------
    # This is a full line comment
    172.16.42.32/32    # This is an inline comment, line with single CIDR block

Use case

  A user wants to protect his/her network from unwanted/unknown IPs, only
  allowing some trusted IPs. Here is the configuration:

  preprocessor reputation: \
        blacklist /etc/snort/default.blacklist
        whitelist /etc/snort/default.whitelist

  In file "default.blacklist"
        # These two entries will match all ipv4 addresses
        1.0.0.0/1
        128.0.0.0/1

  In file "default.whitelist"
        68.177.102.22 # sourcefire.com
        74.125.93.104 # google.com

On Wed, Mar 6, 2013 at 11:21 AM, Ricky Huang <rhuang.work () gmail com> wrote:

Looking at the file it seems it is just a text list of individual IPs - does
it support range syntax like "[]", "-", or "*"?


On Mar 6, 2013, at 10:18 AM, JJC <cummingsj () gmail com> wrote:

That is correct

On Wed, Mar 6, 2013 at 11:15 AM, Ricky Huang <rhuang.work () gmail com> wrote:

On Mar 6, 2013, at 9:22 AM, JJC <cummingsj () gmail com> wrote:

You can add entire CIDR blocks of the offending countries to your IP
Rep preprocessor […]


Does IP Rep preprocessor refer to the IP blacklist rules file?


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Does Snort support country blocking Ricky Huang (Mar 06)
- Re: Does Snort support country blocking JJC (Mar 06)
  - Re: Does Snort support country blocking Ricky Huang (Mar 06)
    - Re: Does Snort support country blocking JJC (Mar 06)
    - Re: Does Snort support country blocking Ricky Huang (Mar 06)
    - Re: Does Snort support country blocking JJC (Mar 06)
- Re: Does Snort support country blocking Jaime Nebrera (Mar 06)