[Emerging-Sigs] IP Rules Direction

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 31 13:53:00 EST 2011

On Oct 31, 2011, at 2:47 PM, Joel Esler wrote:

> If you are referring to Snort's ip reputation preprocessor, it's quite functional now.  Especially in inline mode.

I was thinking Suricata. But have been watching Snort's/

Problem there is as I understand blacklisting just lets you say block and don't process traffic? Is that right?

What we *need* and are putting in Suricata is the ability to categorize. We classify IPs and domains on about 25 categories, and not al are blockable. Just info to add to a rule. So we'll have lookups for reputation in a rule like flowbits. 

Is that something coming in Snort? It'd be very nice if that is the case, so we can distribute more data to both engines!

Thanks Joel


> On Oct 31, 2011, at 2:45 PM, Matthew Jonkman wrote:
>> Or waiting till ip_reputation is functional.

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list