Snort mailing list archives
Re: Updated IP Blacklisting patch (version 2)
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 07 Jul 2009 12:08:52 -0400
Martin Roesch wrote:
On Mon, Jul 6, 2009 at 5:50 PM, Eoin Miller<eoin.miller () trojanedbinaries com> wrote:I was thinking you could have it use the number from the precached event string as the alertid in the gen-msg.map file: Loading bruteforcer blacklist from /etc/snort/iplists/bruteforceblocker.blacklist Loading spamhaus blacklist from /etc/snort/iplists/spamhaus.blacklist Loading tor-exit blacklist from /etc/snort/iplists/tor-exitnode.blacklist Loading tor-server blacklist from /etc/snort/iplists/tor-server.blacklist Loading zeus blacklist from /etc/snort/iplists/zeustracker.blacklist IP List Config: IP Blacklist active with 5241 entries IP Whitelist active with 0 entries Precached event strings: 0 -> Access attempt from bruteforcer blacklisted IP address 1 -> Access attempt from spamhaus blacklisted IP address 2 -> Access attempt from tor-exit blacklisted IP address 3 -> Access attempt from tor-server blacklisted IP address 4 -> Access attempt from zeus blacklisted IP address So you could use numbers 0-4 with the above configuration and the user would have to update their own gen-msg.map to reflect this. So something like: 136 || 0 || spp_iplist: bruteforcer blacklisted ip 136 || 1 || spp_iplist: spamhaus blacklisted ip 136 || 2 || spp_iplist: tor-exit blacklisted ip 136 || 3 || spp_iplist: tor-server blacklisted ip 136 || 4 || spp_iplist: zeus blacklisted ip Now when using unified alerting, barnyard can look back at this and produce more meaningful output. However, when looking at the patch file and the updates that were done to src/generators.h it doesn't look like this is just a super simple quick fix (aka out of the scope of my super simple and poor programming skills). You aren't going to be flying back from Europe with 9 hours to kill again any time soon are you? :)Hi Eoin, That's what I was thinking of doing too. Really I think it's a one liner change to do that, you just have to edit line 376 in src/preprocessors/spp_iplist.c from: SnortEventqAdd(GENERATOR_SPP_IPLIST, IPLIST_BLACKLIST, 1, 0, 0, to SnortEventqAdd(GENERATOR_SPP_IPLIST, (int)pn->data, 1, 0, 0, and that ought to do it. Give it a shot and let me know if it works for you. Marty
Doh! I should have understood that line better when looking at it. Updated the code and recompiled, it is working great! --snip-- [136:1:1] Access attempt from spamhaus blacklisted IP address [**] [Priority: 0] {UDP} x.x.x.32:3213 -> x.x.x.154:53 [136:3:1] Access attempt from tor-server blacklisted IP address [**] [Priority: 0] {UDP} x.x.x.212:44503 -> x.x.x.32:53 [136:4:1] Access attempt from zeus blacklisted IP address [**] [Priority: 0] {TCP} x.x.x.64:1889 -> x.x.x.1:80 --snip-- Thanks! -- Eoin Miller ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/blackberry _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 10)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)