Re: Updated IP Blacklisting patch (version 2)

[Eoin Miller <eoin.miller () trojanedbinaries com>]

Martin Roesch wrote:
> On Mon, Jul 6, 2009 at 5:50 PM, Eoin
> Miller<eoin.miller () trojanedbinaries com> wrote:
>   
> > I was thinking you could have it use the number from the precached event
> > string as the alertid in the gen-msg.map file:
> >
> > Loading bruteforcer blacklist from
> > /etc/snort/iplists/bruteforceblocker.blacklist
> > Loading spamhaus blacklist from /etc/snort/iplists/spamhaus.blacklist
> > Loading tor-exit blacklist from /etc/snort/iplists/tor-exitnode.blacklist
> > Loading tor-server blacklist from /etc/snort/iplists/tor-server.blacklist
> > Loading zeus blacklist from /etc/snort/iplists/zeustracker.blacklist
> > IP List Config:
> >    IP Blacklist active with 5241 entries
> >    IP Whitelist active with 0 entries
> >    Precached event strings:
> >        0 ->  Access attempt from bruteforcer blacklisted IP address
> >        1 ->  Access attempt from spamhaus blacklisted IP address
> >        2 ->  Access attempt from tor-exit blacklisted IP address
> >        3 ->  Access attempt from tor-server blacklisted IP address
> >        4 ->  Access attempt from zeus blacklisted IP address
> >
> > So you could use numbers 0-4 with the above configuration and the user
> > would have to update their own gen-msg.map to reflect this. So something
> > like:
> >
> > 136 || 0 || spp_iplist: bruteforcer blacklisted ip
> > 136 || 1 || spp_iplist: spamhaus blacklisted ip
> > 136 || 2 || spp_iplist: tor-exit blacklisted ip
> > 136 || 3 || spp_iplist: tor-server blacklisted ip
> > 136 || 4 || spp_iplist: zeus blacklisted ip
> >
> > Now when using unified alerting, barnyard can look back at this and
> > produce more meaningful output. However, when looking at the patch file
> > and the updates that were done to src/generators.h it doesn't look like
> > this is just a super simple quick fix (aka out of the scope of my super
> > simple and poor programming skills). You aren't going to be flying back
> > from Europe with 9 hours to kill again any time soon are you? :)
> >     
>
> Hi Eoin,
>
> That's what I was thinking of doing too.  Really I think it's a one
> liner change to do that, you just have to edit line 376 in
> src/preprocessors/spp_iplist.c from:
>
> SnortEventqAdd(GENERATOR_SPP_IPLIST, IPLIST_BLACKLIST, 1, 0, 0,
>
> to
>
> SnortEventqAdd(GENERATOR_SPP_IPLIST, (int)pn->data, 1, 0, 0,
>
> and that ought to do it.  Give it a shot and let me know if it works for you.
>
>
> Marty
>
>   
Doh! I should have understood that line better when looking at it.
Updated the code and recompiled, it is working great!

--snip--
[136:1:1] Access attempt from spamhaus blacklisted IP address [**]
[Priority: 0] {UDP} x.x.x.32:3213 -> x.x.x.154:53
[136:3:1] Access attempt from tor-server blacklisted IP address [**]
[Priority: 0] {UDP} x.x.x.212:44503 -> x.x.x.32:53
[136:4:1] Access attempt from zeus blacklisted IP address [**]
[Priority: 0] {TCP} x.x.x.64:1889 -> x.x.x.1:80
--snip--

Thanks!

--
Eoin Miller

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have 
the opportunity to enter the BlackBerry Developer Challenge. See full prize 
details at: http://p.sf.net/sfu/blackberry
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users