Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Updated IP Blacklisting patch (version 2)

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 6 Jul 2009 15:57:09 -0400
On Mon, Jun 22, 2009 at 6:06 PM, Eoin
Miller<eoin.miller () trojanedbinaries com> wrote:

Martin Roesch wrote:

Hey everyone,



Is anyone else using this patch is able to get the information about
which blacklist is being triggered when you are using barnyard? Since
the generator is just identified by number 136 and the unified output
that goes through barnyard just references the gen-msg.map, it isn't
really possible to determine which blacklist triggered the alert. If you
use fast/full alerting this patch does indeed work great!


Hi Eoin,

I'd have to think about how to do that, probably the best route is to
add a mapping like we do with the rule messages.  Of course, then we'd
need to assign static numbers to the 3rd party lists or something.
Definitely bears thinking about.

Marty


-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: