Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-devel] IP Blacklisting for Snort 2.8.4.1

From: Jason Brvenik <jasonb () sourcefire com>
Date: Wed, 13 May 2009 21:26:41 -0400
It sounds like a good case for post processing markup. SnortUnified.pm
has hooks to make this easy. "Handlers" should do well as none of the
other output code needs modification, it will do it in the background
before presenting the complete event.

Basically create and register a handler for all GID 135 events to
lookup the IP address in metadata and place it into the message.

On Wed, May 13, 2009 at 9:13 PM, Martin Roesch <roesch () sourcefire com> wrote:

Hi Seth,

The alerts look exactly like standard preprocessor alerts, I'm using
GID 135 for the plugin and it only generates one message.  I could get
fancier with some of it but noting the origin of a blacklisted IP
would be a bit of a pain.  The ptrie structure does support attaching
data to the address entries but where there are collisions the logic
will get more complex and it makes the parsing more complex too.  If
we can live with it this way that makes life easiest for me but if
someone makes a good use case for it I'll implement it.

Marty

On Wed, May 13, 2009 at 4:02 PM, Seth Art <sethsec () gmail com> wrote:

I am pretty sure a blacklist.conf, called in snort.conf would do the trick.

With the name thing, I think it would be informative to record why
each IP was blocked or alerted on.

The high speed functionality is great, don't get me wrong.  Obviously
we cant have all the info we get from a sig, AND have a high speed
preproc, however I assume the alerts will look like any other preproc
alert, right?  If I could pick one piece of information to have in
addition to the IP, it would be a classification (command and control,
malware, spam servers, rbn, etc).  I think this would help with
response.

If the additional memory/complexity would defeat the purpose of having
the high speed preproc in the first place, then I agree that it might
not make sense.

Either way, I am looking forward to testing it out.   Thanks.

-Seth


On Wed, May 13, 2009 at 3:37 PM, Martin Roesch <roesch () sourcefire com> wrote:

You can achieve the same thing via just putting the iplist
preprocessor instantiation in a separate file (blacklist.conf?) and
then including the file from Snort.conf.  I didn't want to spend a lot
of time writing more file opening/reading/parsing logic and loops to
get this out more quickly so I stuck with the built-in parser.  I
setup the runtime config of the system so that you could make multiple
calls to load the whitelist/blacklist if it gets bigger than Snort can
load in its standard parse buffer.

In that name field are you trying to denote the source of the
blacklist?  Tracking that stuff within the data structure would either
require additional memory and complexity to produce the name or
multiple instantiations of the data structure and associated overhead.
 I'd figure performance would be more important than the name but
that's just me talking.  I could certainly add all this stuff but I
think basic and fast might be the better way to go from where I sit.

Thoughts?

Marty

On Wed, May 13, 2009 at 3:31 PM, Seth Art <sethsec () gmail com> wrote:

Pretty cool!

Suggestion: Rather than enter the IP addresses into snort.conf, it
might be easier to manage something like this if we reference files
that include the IP lists using a predefined syntax.  That way you can
download community based lists daily without ever having to update
snort.conf each time.

Something like this:

preprocessor iplist: < noalerts > < nodrops > <directory>
                   whitelist name <filename>
                   blacklist name <filename>
                   blacklist name <filename>

Ex:

preprocessor iplist:
                   whitelist trusted /etc/snort/lists/trusted.list
                   blacklist ET-dshield /etc/snort/lists/dshield.list
                   blacklist ET-CC /etc/snort/lists/cc.list

 Thoughts?


On Wed, May 13, 2009 at 2:50 PM, Martin Roesch <roesch () sourcefire com> wrote:

Hi everyone,

I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a
preprocessor in Snort over this past weekend.  We talked about this
last week on the mailing list in regards to trying to implement
blacklisting using regular Snort rules and how well that doesn't work.
:)

This code has been tested against Snort 2.8.4.1 only.  I've tested
builds on OS X, Ubuntu and Fedora so far.  It requires libdnet (or
dumbnet-dev for those of you on Debian-based distros) to build
properly.  Check the README file that comes with it for instructions
on patching it into your codebase.  It supports inline blocking and
alerting but not Flexresp-style TCP reset session shootdowns.

Have a look and let me know what features you'd like or bugs you find.

This code is purely EXPERIMENTAL, this is just me spending some of my
spare time doing a fun coding project so if your machine sprouts legs
and refuses to work until it receives part of the TARP bailout it's
not my fault.

Here's the link:

http://www.snort.org/users/roesch/code/iplist.patch.tgz

Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org







--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: