[Snort-users] Does Snort support country blocking

[Ricky Huang]

Hello,

I would like to know if Snort supports blocking by geographic location?  Using something like integration with GeoIP.  This is for the case where our servers are known to receive frequent attacks from a certain country and would like to block it.

Thanks!

[JJC]

You can add entire CIDR blocks of the offending countries to your IP
Rep preprocessor (or add them to your firewall before it gets to your
IPS also) kind of thing... It's not uncommon for US only based
companies to block all of APNIC for example...

JJC

> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[Ricky Huang]

On Mar 6, 2013, at 9:22 AM, JJC <cumm...@gmail.com> wrote:

You can add entire CIDR blocks of the offending countries to your IP

Rep preprocessor […]

Does IP Rep preprocessor refer to the IP blacklist rules file?

[Jaime Nebrera]

> I would like to know if Snort supports blocking by geographic location?  Using something like integration with GeoIP.  This is for the case where our servers are known to receive frequent attacks from a certain country and would like to block it.

We have included such capability into our redBorder IPS platform

It is free to download and open sourced, so feel free to give a try

PS.- I work for the company developing redBorder

[JJC]

That is correct

[Ricky Huang]

Looking at the file it seems it is just a text list of individual IPs - does it support range syntax like "[]", "-", or "*"?

[JJC]

snippet from README.reputation:

IP List File Format

Syntax
The IP list file has 1 entry per line. The entry can be either IP entry or
comment.

IP Entry
CIDR notation <comments> line break
Example:
172.16.42.32/32

Comment
# <comments>
Example:
# This is a full line comment

IP List File Example
----------------------
# This is a full line comment
172.16.42.32/32 # This is an inline comment, line with single CIDR block

Use case

A user wants to protect his/her network from unwanted/unknown IPs, only
allowing some trusted IPs. Here is the configuration:

preprocessor reputation: \
blacklist /etc/snort/default.blacklist
whitelist /etc/snort/default.whitelist

In file "default.blacklist"
# These two entries will match all ipv4 addresses
1.0.0.0/1
128.0.0.0/1

In file "default.whitelist"
68.177.102.22 # sourcefire.com
74.125.93.104 # google.com