Re: Blacklisting for Snort 2.8.4.1

[Martin Roesch <roesch () sourcefire com>]

Hi Jimmy,

I don't have any plans to add flexresp support at this time, doing it
inline is a much more sure solution than trying to do a TCP session
snipe and has a much greater chance of success (100%) as well.  If
someone can make a convincing use case then it could be a future
feature though.

Marty

On Wed, May 13, 2009 at 10:22 PM, Jimmy Tharel <jtharel () yahoo com> wrote:
> Message: 1
> Date: Wed, 13 May 2009 14:50:29 -0400
> From: Martin Roesch <roesch () sourcefire com>
> Subject: [Snort-users] IP Blacklisting for Snort 2.8.4.1
> To: Snort-users <snort-users () lists sourceforge net>,
>     snort-devel () lists sourceforge net
> Message-ID:
>     <98fce1870905131150i4098c2ccodfd20acfaece9764 () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi everyone,
>
> I wrote a patch for Snort 2.8.4.1 that implements IP blacklisting as a
> preprocessor in Snort over this past weekend.  We talked about this
> last week on the mailing list in regards to trying to implement
> blacklisting using regular Snort rules and how well that doesn't work.
> :)
>
> This code has been tested against Snort 2.8.4.1 only.  I've tested
> builds on OS X, Ubuntu and Fedora so far.  It requires libdnet (or
> dumbnet-dev for those of you on Debian-based distros) to build
> properly.  Check the README file that comes with it for instructions
> on patching it into your codebase.  It supports inline blocking and
> alerting but not Flexresp-style TCP reset session shootdowns.
>
> Have a look and let me know what features you'd like or bugs you find.
>
> This code is purely EXPERIMENTAL, this is just me spending some of my
> spare time doing a fun coding project so if your machine sprouts legs
> and refuses to work until it receives part of the TARP bailout it's
> not my fault.
>
> Here's the link:
>
> http://www.snort.org/users/roesch/code/iplist.patch.tgz
>
> Marty
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
>
>
> Are there any plans to include Flexresp TCP Resets for this in the Future?
> That would be a great feature for me!  :-)
>
> Jimmy
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users