Snort mailing list archives
Re: Updated IP Blacklisting patch (version 2)
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 06 Jul 2009 17:50:43 -0400
Martin Roesch wrote:
On Mon, Jun 22, 2009 at 6:06 PM, Eoin Miller<eoin.miller () trojanedbinaries com> wrote:Martin Roesch wrote:Hey everyone,Is anyone else using this patch is able to get the information about which blacklist is being triggered when you are using barnyard? Since the generator is just identified by number 136 and the unified output that goes through barnyard just references the gen-msg.map, it isn't really possible to determine which blacklist triggered the alert. If you use fast/full alerting this patch does indeed work great!Hi Eoin, I'd have to think about how to do that, probably the best route is to add a mapping like we do with the rule messages. Of course, then we'd need to assign static numbers to the 3rd party lists or something. Definitely bears thinking about. Marty
I was thinking you could have it use the number from the precached event string as the alertid in the gen-msg.map file: Loading bruteforcer blacklist from /etc/snort/iplists/bruteforceblocker.blacklist Loading spamhaus blacklist from /etc/snort/iplists/spamhaus.blacklist Loading tor-exit blacklist from /etc/snort/iplists/tor-exitnode.blacklist Loading tor-server blacklist from /etc/snort/iplists/tor-server.blacklist Loading zeus blacklist from /etc/snort/iplists/zeustracker.blacklist IP List Config: IP Blacklist active with 5241 entries IP Whitelist active with 0 entries Precached event strings: 0 -> Access attempt from bruteforcer blacklisted IP address 1 -> Access attempt from spamhaus blacklisted IP address 2 -> Access attempt from tor-exit blacklisted IP address 3 -> Access attempt from tor-server blacklisted IP address 4 -> Access attempt from zeus blacklisted IP address So you could use numbers 0-4 with the above configuration and the user would have to update their own gen-msg.map to reflect this. So something like: 136 || 0 || spp_iplist: bruteforcer blacklisted ip 136 || 1 || spp_iplist: spamhaus blacklisted ip 136 || 2 || spp_iplist: tor-exit blacklisted ip 136 || 3 || spp_iplist: tor-server blacklisted ip 136 || 4 || spp_iplist: zeus blacklisted ip Now when using unified alerting, barnyard can look back at this and produce more meaningful output. However, when looking at the patch file and the updates that were done to src/generators.h it doesn't look like this is just a super simple quick fix (aka out of the scope of my super simple and poor programming skills). You aren't going to be flying back from Europe with 9 hours to kill again any time soon are you? :) -- Eoin Miller ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)