alerts on blacklisted IPs

[Victor-Alexandru Truica <vat () mnworks dk>]

Hello,

I have a blacklist file containing multiple IP ranges. I want to create 
a general rule that will fire an alert like "Blacklisted interaction":

alert $HOME_NET any -> $BLACKLIST_DSHIELD any (msg:"Blacklist 
interaction";sid:1000100;)

Since the IPs and IP ranges are to many i thought that it would be too 
much of a hasle to define my ipvar like:

ipvar BLACKLISTED_IP [88.88.88.88,99.99.99.99,...]


Is it possible to create an ipvar that would load it's IPs from an 
external file, say like:

ipvar BLACKLISTED_IP [/root/blacklistfile]

Or

ipvar BLACKLISTED_IP include ipblacklist.txt

?

I've tried different variations of the path for "ipvar BLACKLISTED_IP 
[/root/blacklistfile]" but nothing worked.

PS - i've read a bit on the Reputation preprocessor 
(http://manual.snort.org/node175.html) but i don't want to " 
block/drop/pass" the packets, i just want an alert on this.


--
Victor-Alexandru Truica
Blog/Website : http://truica-victor.com
E-Mail : vat () mnworks dk

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!