Monday, June 08, 2009

IP Blacklisting Version 2 for Snort 2.8.4.1 available


I found myself with 9 hours to kill on an airplane ride this weekend so I coded up the two features I've been hearing the most for the original IP Blacklisting patch I wrote. The first new feature was to be able to associate a name with a blacklist and have that name produced in the event that Snort outputs. The second feature was to be able to load blacklists from external files so that very large blacklists could be maintained without having to modify the snort.conf file.

Both of these features are now available in version 2 of the patch. Direct loading of the IP address lists from the snort.conf preprocessor directive is no longer supported, you have to use the external files.

Here is a sample directive for snort.conf:


preprocessor iplist: blacklist dshield /etc/snort/dshield.blacklist \
blacklist sourcefire /etc/snort/sourcefire.blacklist \
whitelist /etc/snort/default.whitelist


And here is a sample blacklist file:

# This is a blacklist file, there are many like it but this one is mine
# Comments are supported
10.1.1.0/24 192.168.0.0/16 # I can do inline comments too and put
# multiple CIDR blocks on one line
172.16.16.17/32
172.16.15.14/32 # Whatever you like


As per usual, bug reports and feature requests can be sent directly to me. I still haven't done any performance testing of this code so your mileage may vary. I'd be interested to hear of any comparisons of the performance of this code vs the Emerging Threats blacklist.

Tested on Ubuntu, Fedora and OS X only so far.

You can get the patch here:

http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz



Technorati Tags:
, , , ,



Labels: , , , , ,

10 Comments:

At 7:24 AM, Anonymous Anonymous said...

Awesome! The external blacklist/whitelist option looks great. I'll be sure to give it a try when i get back home tonight.

Keep up the good work.

 
At 11:05 AM, Anonymous Anonymous said...

Martin - any idea when this capability will be available for Sourcefire users?

 
At 3:16 PM, Blogger Martin Roesch said...

Nope, this is still purely a "cowboy" patch, it's not on the product schedule and so on. Hopefully sometime in the not too distant future but we'll have to see.

 
At 7:16 PM, Blogger Dieu said...

Have you try your patch with 2.8.5 beta?

 
At 9:15 PM, Blogger Martin Roesch said...

I haven't tried patching against 2.8.5 but it's on my TODO list. I'll make a post here when I get a chance to do it.

 
At 12:24 AM, Blogger 현진 said...

It is possible to upload black ip list as Snort working? If do it.. how?

and.. If you can.. I hope Snort could drops packets which I don`t want from any country, like works with GEOIP module.

Anyway I`m one of big snort users. I really Thank you!! Marty

 
At 10:10 AM, Blogger Martin Roesch said...

No, you can't load a new list on the fly, that would require me to add a lot of technology to make Snort interactive. It might be possible to hijack a signal to basically "kick" snort and have it reload the files but you're going to lose packet processing capabilities when you do it since Snort is single threaded.

In Snort 3.0 there is an interactive capability but I haven't made this code available on that code base yet.

 
At 12:00 AM, Anonymous Anonymous said...

That's all good.
And what about some support for current Nessus plugins in Sourcefire 3D?
After all, Sourcefire does claim to support Nessus reporting, the only problem is that the version supported died 4 years ago...rendering that support effectively useless...

 
At 2:28 AM, Anonymous Intrusion Prevention System said...

The patch 2.8.5 may work.

 
At 10:54 PM, Anonymous Linux Ninjas said...

I loved this blacklisting capability. Thank you for this security feature.

 

Post a Comment

<< Home