Snort mailing list archives
Re: Updated IP Blacklisting patch (version 2)
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 22 Jun 2009 18:06:13 -0400
Martin Roesch wrote:
Hey everyone, I had 9 hours to kill flying back to Europe this weekend so I updated the IP Blacklisting patch and it's now available. You can get it here: http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz What's new? I rewrote the config loader and the event generation code to support named blacklists and loading IP lists from external files. With these two mods you now get the blacklist name included in the event messages when a banned IP tries to access the network AND you can load however many blacklisted IPs you like, potentially hundreds of thousands (at least). Check out the README.iplist file that comes with it for config instructions. Note that whitelists do NOT take names, they're just exceptions to the blacklist anyway. As per usual, this has received minimal testing and NO performance testing. May cause cramping, bowel discomfort and spontaneous decapitation, use at your own risk, your mileage may vary, etc. It's a small piece of code but I may have missed something, feel free to send feedback and I'll fix it if you find anything seriously broken. I still haven't done flexresp-style session sniping nor does it load IPv6 addresses yet. Maybe in v3. Enjoy! Marty
Is anyone else using this patch is able to get the information about which blacklist is being triggered when you are using barnyard? Since the generator is just identified by number 136 and the unified output that goes through barnyard just references the gen-msg.map, it isn't really possible to determine which blacklist triggered the alert. If you use fast/full alerting this patch does indeed work great! -- Eoin ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Updated IP Blacklisting patch (version 2) Martin Roesch (Jun 08)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jun 08)
- Re: Updated IP Blacklisting patch (version 2) Luis Daniel Lucio Quiroz (Jun 15)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jun 16)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jun 22)