Wednesday, May 13, 2009

IP Blacklisting in Snort

Our Supreme Overlord and Benevolent Dictator, Marty Roesch, had a little free time on his hands over the weekend and spent some of it writing a new preprocessor for Snort 2.8.4.1 that implements IP blacklisting. This should help a great deal with performance for those folks who like to use Snort as a pseudo firewall.

Currently, the patch works and Snort successfully builds on OS X, Fedora and Ubuntu, it may work out of the box on other systems but these are the ones that have been tested so far. There are some requirements and you really need to read the README.iplist that comes in the tarball.

Remember, this code is EXPERIMENTAL and your mileage may vary when using it.

Here's a link to the patch: http://www.snort.org/users/roesch/code/iplist.patch.tgz

Here's a link to Marty's blogpost: http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html

Have fun!

EDIT: I also got the patch to work on FreeBSD.

2 comments:

  1. whats the best tool or application at your opinion to blacklist ips ? which one do you use for example?

    ReplyDelete
  2. DNS or your firewall.

    This patch to snort was written to help some people who were not able to use a firewall or DNS to do this job. If you have a firewall (and you should if you don't) or if you have a DNS server then use those resources to do the blacklisting.

    With DNS you can use RBLs easily. You would need to do a little work to convert that data into a suitable firewall rule but it can be done.

    ReplyDelete

Post a Comment