Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Specific IP rule sets

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 05 Mar 2003 15:44:56 -0500
1) you can get this kind of info from the text DB's at http://www.blackholes.us/
2) I don't think what you want to do is practical to do inside snort itself.. You'll have thousands and thousands of different IP-range sets to deal with to cover any reasonable set of countries. Brazil alone is 259 different ranges of IP addresses. Once you start looking at the zone data in blackholes.us you'll start realizing just how complex this is..
This MIGHT be reasonable to do with a back-end tool that parses the IP address out of an alert and does a comparison against the blackholes.us text DB's (or do a DNS lookup against a local DNS server with their zonefiles) and add lines to the logfiles to indicate that the previous alert matched a given country. But it's certainly not going to be reasonable to do this processing inside snort itself.. I'm pretty sure it's just going to be too slow if you try. 



At 01:30 PM 3/5/2003 -0600, Nall, Robert wrote:
1. I am trying to compile a list of all Ips per county into country lists. Does anyone know of or have a resource that has this information?
2. If I get a list of ip ranges, what would be the best solution to implement this? Create new rules? I wouldn't like to do this for each exploit, but I don't want a general "catch all" rule based on the fact that it would capture every single packet... I don't want that, just the bad stuff ;) 

Any help would be appreciated...


__________________________________________
Robert Nall
Network Administrator
Riley County - Information Systems
110 Courthouse Plaza
Manhattan, KS 66502
Phone: (785) 537-6309
Cell: (785) 313-9003
Fax: (785) 537-6306
Email: rnall () co riley ks us




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: