Snort mailing list archives
alerts on blacklisted IPs
From: Victor-Alexandru Truica <vat () mnworks dk>
Date: Mon, 01 Sep 2014 10:40:06 +0200
Hello,I have a blacklist file containing multiple IP ranges. I want to create a general rule that will fire an alert like "Blacklisted interaction":
alert $HOME_NET any -> $BLACKLIST_DSHIELD any (msg:"Blacklist interaction";sid:1000100;)
Since the IPs and IP ranges are to many i thought that it would be too much of a hasle to define my ipvar like:
ipvar BLACKLISTED_IP [88.88.88.88,99.99.99.99,...]Is it possible to create an ipvar that would load it's IPs from an external file, say like:
ipvar BLACKLISTED_IP [/root/blacklistfile] Or ipvar BLACKLISTED_IP include ipblacklist.txt ?I've tried different variations of the path for "ipvar BLACKLISTED_IP [/root/blacklistfile]" but nothing worked.
PS - i've read a bit on the Reputation preprocessor (http://manual.snort.org/node175.html) but i don't want to " block/drop/pass" the packets, i just want an alert on this.
-- Victor-Alexandru Truica Blog/Website : http://truica-victor.com E-Mail : vat () mnworks dk
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- alerts on blacklisted IPs Victor-Alexandru Truica (Sep 01)
- Re: alerts on blacklisted IPs Joel Esler (jesler) (Sep 01)