Snort mailing list archives
Re: alerts on blacklisted IPs
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 1 Sep 2014 13:35:06 +0000
You can alert with the reputation preprocessor. Just use the preprocessor rules set to alert. -- Joel Esler Sent from my iPhone On Sep 1, 2014, at 5:00, "Victor-Alexandru Truica" <vat () mnworks dk<mailto:vat () mnworks dk>> wrote: Hello, I have a blacklist file containing multiple IP ranges. I want to create a general rule that will fire an alert like "Blacklisted interaction": alert $HOME_NET any -> $BLACKLIST_DSHIELD any (msg:"Blacklist interaction";sid:1000100;) Since the IPs and IP ranges are to many i thought that it would be too much of a hasle to define my ipvar like: ipvar BLACKLISTED_IP [88.88.88.88,99.99.99.99,...] Is it possible to create an ipvar that would load it's IPs from an external file, say like: ipvar BLACKLISTED_IP [/root/blacklistfile] Or ipvar BLACKLISTED_IP include ipblacklist.txt ? I've tried different variations of the path for "ipvar BLACKLISTED_IP [/root/blacklistfile]" but nothing worked. PS - i've read a bit on the Reputation preprocessor (http://manual.snort.org/node175.html) but i don't want to " block/drop/pass" the packets, i just want an alert on this. -- Victor-Alexandru Truica Blog/Website : http://truica-victor.com E-Mail : vat () mnworks dk<mailto:vat () mnworks dk> ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- alerts on blacklisted IPs Victor-Alexandru Truica (Sep 01)
- Re: alerts on blacklisted IPs Joel Esler (jesler) (Sep 01)