[Emerging-Sigs] IP Rules Direction

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 31 13:53:00 EST 2011


On Oct 31, 2011, at 2:47 PM, Joel Esler wrote:

> If you are referring to Snort's ip reputation preprocessor, it's quite functional now.  Especially in inline mode.
> 

I was thinking Suricata. But have been watching Snort's/

Problem there is as I understand blacklisting just lets you say block and don't process traffic? Is that right?

What we *need* and are putting in Suricata is the ability to categorize. We classify IPs and domains on about 25 categories, and not al are blockable. Just info to add to a rule. So we'll have lookups for reputation in a rule like flowbits. 

Is that something coming in Snort? It'd be very nice if that is the case, so we can distribute more data to both engines!

Thanks Joel

Matt


> 
> On Oct 31, 2011, at 2:45 PM, Matthew Jonkman wrote:
> 
>> Or waiting till ip_reputation is functional.
> 


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list