IP Blacklisting Version 2 for Snort 2.8.4.1 available
I found myself with 9 hours to kill on an airplane ride this weekend so I coded up the two features I've been hearing the most for the original IP Blacklisting patch I wrote. The first new feature was to be able to associate a name with a blacklist and have that name produced in the event that Snort outputs. The second feature was to be able to load blacklists from external files so that very large blacklists could be maintained without having to modify the snort.conf file.
Both of these features are now available in version 2 of the patch. Direct loading of the IP address lists from the snort.conf preprocessor directive is no longer supported, you have to use the external files.
Here is a sample directive for snort.conf:
preprocessor iplist: blacklist dshield /etc/snort/dshield.blacklist \
blacklist sourcefire /etc/snort/sourcefire.blacklist \
whitelist /etc/snort/default.whitelist
And here is a sample blacklist file:
# This is a blacklist file, there are many like it but this one is mine
# Comments are supported
10.1.1.0/24 192.168.0.0/16 # I can do inline comments too and put
# multiple CIDR blocks on one line
172.16.16.17/32
172.16.15.14/32 # Whatever you like
As per usual, bug reports and feature requests can be sent directly to me. I still haven't done any performance testing of this code so your mileage may vary. I'd be interested to hear of any comparisons of the performance of this code vs the Emerging Threats blacklist.
Tested on Ubuntu, Fedora and OS X only so far.
You can get the patch here:
http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz
Technorati Tags:
cybersecurity, open source, snort, sourcefire, tools
Labels: IDS, IPS, open source, Snort, Sourcefire, tools
10 Comments:
Awesome! The external blacklist/whitelist option looks great. I'll be sure to give it a try when i get back home tonight.
Keep up the good work.
Martin - any idea when this capability will be available for Sourcefire users?
Nope, this is still purely a "cowboy" patch, it's not on the product schedule and so on. Hopefully sometime in the not too distant future but we'll have to see.
Have you try your patch with 2.8.5 beta?
I haven't tried patching against 2.8.5 but it's on my TODO list. I'll make a post here when I get a chance to do it.
It is possible to upload black ip list as Snort working? If do it.. how?
and.. If you can.. I hope Snort could drops packets which I don`t want from any country, like works with GEOIP module.
Anyway I`m one of big snort users. I really Thank you!! Marty
No, you can't load a new list on the fly, that would require me to add a lot of technology to make Snort interactive. It might be possible to hijack a signal to basically "kick" snort and have it reload the files but you're going to lose packet processing capabilities when you do it since Snort is single threaded.
In Snort 3.0 there is an interactive capability but I haven't made this code available on that code base yet.
That's all good.
And what about some support for current Nessus plugins in Sourcefire 3D?
After all, Sourcefire does claim to support Nessus reporting, the only problem is that the version supported died 4 years ago...rendering that support effectively useless...
The patch 2.8.5 may work.
I loved this blacklisting capability. Thank you for this security feature.
Post a Comment
<< Home