[Emerging-Sigs] Potential BPF File Limitations?

Joel Esler jesler at sourcefire.com
Thu Oct 13 15:55:20 EDT 2011


Blacklist -- If you are inline, will drop.
Whitelist -- will not pass the traffic from the IPs into the detection engine.  Essentially bypassing all inspection.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Oct 13, 2011, at 1:00 PM, Korodev wrote:

> From what I've read, the new reputation preprocessors SF has
> introduced will fire off an event when it sees a whitelisted or
> blacklisted IP, but I'm unclear as to what happens after that. Is
> Snort done with the packet at that point, or does it continue on
> through rule inspection?
> 
> \\korodev
> 
> 
> 
> On Thu, Oct 13, 2011 at 11:10 AM, Martin Holste <mcholste at gmail.com> wrote:
>> Snort 2.9.1.1 introduced the socket you can write to which will
>> dynamically change the black and whitelists, which looks like it will
>> help you (http://manual.snort.org/node16.html#SECTION003219000000000000000).
>>  What is unclear is whether or not a whitelist means you will not
>> alert on that traffic or not.  Joel, can you clarify?
>> 
>> On Thu, Oct 13, 2011 at 8:54 AM, Korodev <korodev at gmail.com> wrote:
>>> I'm in a situation where I need to efficiently tell Snort to ignore a
>>> large dynamic list of IPs similar to a whitelist scenario. I'm
>>> currently using BPF filters in a file, but after seeing Eoin's RBN
>>> trickery, I was wondering if there might be any performance
>>> differences in building these as ipvars and negating then from my
>>> external ipvar.
>>> 
>>> I'm thinking that BPF filters are still probably the best route here,
>>> since processing occurs much earlier in the process, but I'm worried
>>> about how it will scale as the BPF file grows. Should I be worried
>>> about this?
>>> 
>>> \\korodev
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



More information about the Emerging-sigs mailing list