Snort mailing list archives
Re: Specific IP rule sets
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 05 Mar 2003 15:44:56 -0500
1) you can get this kind of info from the text DB's at http://www.blackholes.us/
2) I don't think what you want to do is practical to do inside snort itself.. You'll have thousands and thousands of different IP-range sets to deal with to cover any reasonable set of countries. Brazil alone is 259 different ranges of IP addresses. Once you start looking at the zone data in blackholes.us you'll start realizing just how complex this is..
This MIGHT be reasonable to do with a back-end tool that parses the IP address out of an alert and does a comparison against the blackholes.us text DB's (or do a DNS lookup against a local DNS server with their zonefiles) and add lines to the logfiles to indicate that the previous alert matched a given country. But it's certainly not going to be reasonable to do this processing inside snort itself.. I'm pretty sure it's just going to be too slow if you try.
At 01:30 PM 3/5/2003 -0600, Nall, Robert wrote:
1. I am trying to compile a list of all Ips per county into country lists. Does anyone know of or have a resource that has this information?2. If I get a list of ip ranges, what would be the best solution to implement this? Create new rules? I wouldn't like to do this for each exploit, but I don't want a general "catch all" rule based on the fact that it would capture every single packet... I don't want that, just the bad stuff ;)Any help would be appreciated... __________________________________________ Robert Nall Network Administrator Riley County - Information Systems 110 Courthouse Plaza Manhattan, KS 66502 Phone: (785) 537-6309 Cell: (785) 313-9003 Fax: (785) 537-6306 Email: rnall () co riley ks us
-------------------------------------------------------This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Specific IP rule sets Nall, Robert (Mar 05)
- <Possible follow-ups>
- Re: Specific IP rule sets Matt Kettler (Mar 05)