Monday, June 08, 2009

IP Blacklisting Version 2 for Snort 2.8.4.1 available


I found myself with 9 hours to kill on an airplane ride this weekend so I coded up the two features I've been hearing the most for the original IP Blacklisting patch I wrote. The first new feature was to be able to associate a name with a blacklist and have that name produced in the event that Snort outputs. The second feature was to be able to load blacklists from external files so that very large blacklists could be maintained without having to modify the snort.conf file.

Both of these features are now available in version 2 of the patch. Direct loading of the IP address lists from the snort.conf preprocessor directive is no longer supported, you have to use the external files.

Here is a sample directive for snort.conf:


preprocessor iplist: blacklist dshield /etc/snort/dshield.blacklist \
blacklist sourcefire /etc/snort/sourcefire.blacklist \
whitelist /etc/snort/default.whitelist


And here is a sample blacklist file:

# This is a blacklist file, there are many like it but this one is mine
# Comments are supported
10.1.1.0/24 192.168.0.0/16 # I can do inline comments too and put
# multiple CIDR blocks on one line
172.16.16.17/32
172.16.15.14/32 # Whatever you like


As per usual, bug reports and feature requests can be sent directly to me. I still haven't done any performance testing of this code so your mileage may vary. I'd be interested to hear of any comparisons of the performance of this code vs the Emerging Threats blacklist.

Tested on Ubuntu, Fedora and OS X only so far.

You can get the patch here:

http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz



Technorati Tags:
, , , ,



Labels: , , , , ,