Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: alerts on blacklisted IPs

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 1 Sep 2014 13:35:06 +0000
You can alert with the reputation preprocessor.  Just use the preprocessor rules set to alert.

--
Joel Esler
Sent from my iPhone

On Sep 1, 2014, at 5:00, "Victor-Alexandru Truica" <vat () mnworks dk<mailto:vat () mnworks dk>> wrote:


Hello,

I have a blacklist file containing multiple IP ranges. I want to create a general rule that will fire an alert like 
"Blacklisted interaction":

alert $HOME_NET any -> $BLACKLIST_DSHIELD any (msg:"Blacklist interaction";sid:1000100;)

Since the IPs and IP ranges are to many i thought that it would be too much of a hasle to define my ipvar like:

ipvar BLACKLISTED_IP [88.88.88.88,99.99.99.99,...]

Is it possible to create an ipvar that would load it's IPs from an external file, say like:

ipvar BLACKLISTED_IP [/root/blacklistfile]

Or

ipvar BLACKLISTED_IP include ipblacklist.txt

?

I've tried different variations of the path for "ipvar BLACKLISTED_IP [/root/blacklistfile]" but nothing worked.

PS - i've read a bit on the Reputation preprocessor (http://manual.snort.org/node175.html) but i don't want to " 
block/drop/pass" the packets, i just want an alert on this.



--
Victor-Alexandru Truica
Blog/Website : http://truica-victor.com
E-Mail : vat () mnworks dk<mailto:vat () mnworks dk>

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: