Our Supreme Overlord and Benevolent Dictator, Marty Roesch, had a little free time on his hands over the weekend and spent some of it writing a new preprocessor for Snort that implements IP blocklisting. This should help a great deal with performance for those folks who like to use Snort as a pseudo firewall. Currently, the patch works and Snort successfully builds on OS X, Fedora and Ubuntu, it may work out of the box on other systems but these are the ones that have been tested so far. There are some requirements and you really need to read the README.iplist that comes in the tarball. Remember, this code is EXPERIMENTAL and your mileage may vary when using it. Here's a link to the patch: http://www.snort.org/users/roesch/code/iplist.patch.tgz Here's a link to Marty's blogpost: http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html Have fun! EDIT: I also got the patch to work on FreeBSD.