Re: Updated IP Blacklisting patch (version 2)

[Eoin Miller <eoin.miller () trojanedbinaries com>]

Martin Roesch wrote:
> On Mon, Jun 22, 2009 at 6:06 PM, Eoin
> Miller<eoin.miller () trojanedbinaries com> wrote:
>   
> > Martin Roesch wrote:
> >     
> > > Hey everyone,
> > >
> > >
> > >       
> > Is anyone else using this patch is able to get the information about
> > which blacklist is being triggered when you are using barnyard? Since
> > the generator is just identified by number 136 and the unified output
> > that goes through barnyard just references the gen-msg.map, it isn't
> > really possible to determine which blacklist triggered the alert. If you
> > use fast/full alerting this patch does indeed work great!
> >     
>
> Hi Eoin,
>
> I'd have to think about how to do that, probably the best route is to
> add a mapping like we do with the rule messages.  Of course, then we'd
> need to assign static numbers to the 3rd party lists or something.
> Definitely bears thinking about.
>
> Marty
>   
I was thinking you could have it use the number from the precached event
string as the alertid in the gen-msg.map file:

Loading bruteforcer blacklist from
/etc/snort/iplists/bruteforceblocker.blacklist
Loading spamhaus blacklist from /etc/snort/iplists/spamhaus.blacklist
Loading tor-exit blacklist from /etc/snort/iplists/tor-exitnode.blacklist
Loading tor-server blacklist from /etc/snort/iplists/tor-server.blacklist
Loading zeus blacklist from /etc/snort/iplists/zeustracker.blacklist
IP List Config:
    IP Blacklist active with 5241 entries
    IP Whitelist active with 0 entries
    Precached event strings:
        0 ->  Access attempt from bruteforcer blacklisted IP address
        1 ->  Access attempt from spamhaus blacklisted IP address
        2 ->  Access attempt from tor-exit blacklisted IP address
        3 ->  Access attempt from tor-server blacklisted IP address
        4 ->  Access attempt from zeus blacklisted IP address

So you could use numbers 0-4 with the above configuration and the user
would have to update their own gen-msg.map to reflect this. So something
like:

136 || 0 || spp_iplist: bruteforcer blacklisted ip
136 || 1 || spp_iplist: spamhaus blacklisted ip
136 || 2 || spp_iplist: tor-exit blacklisted ip
136 || 3 || spp_iplist: tor-server blacklisted ip
136 || 4 || spp_iplist: zeus blacklisted ip

Now when using unified alerting, barnyard can look back at this and
produce more meaningful output. However, when looking at the patch file
and the updates that were done to src/generators.h it doesn't look like
this is just a super simple quick fix (aka out of the scope of my super
simple and poor programming skills). You aren't going to be flying back
from Europe with 9 hours to kill again any time soon are you? :)

--
Eoin Miller

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users