Our Supreme Overlord and Benevolent Dictator, Marty Roesch, had a little free time on his hands over the weekend and spent some of it writing a new preprocessor for Snort 2.8.4.1 that implements IP blacklisting. This should help a great deal with performance for those folks who like to use Snort as a pseudo firewall.
Currently, the patch works and Snort successfully builds on OS X, Fedora and Ubuntu, it may work out of the box on other systems but these are the ones that have been tested so far. There are some requirements and you really need to read the README.iplist that comes in the tarball.
Remember, this code is EXPERIMENTAL and your mileage may vary when using it.
Here's a link to the patch: http://www.snort.org/users/roesch/code/iplist.patch.tgz
Here's a link to Marty's blogpost: http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html
Have fun!
EDIT: I also got the patch to work on FreeBSD.
Subscribe to:
Post Comments (Atom)
whats the best tool or application at your opinion to blacklist ips ? which one do you use for example?
ReplyDeleteDNS or your firewall.
ReplyDeleteThis patch to snort was written to help some people who were not able to use a firewall or DNS to do this job. If you have a firewall (and you should if you don't) or if you have a DNS server then use those resources to do the blacklisting.
With DNS you can use RBLs easily. You would need to do a little work to convert that data into a suitable firewall rule but it can be done.