[Emerging-Sigs] IP Rules Direction

Joel Esler jesler at sourcefire.com
Mon Oct 31 14:27:08 EST 2011

On Oct 31, 2011, at 2:53 PM, Matthew Jonkman wrote:
> On Oct 31, 2011, at 2:47 PM, Joel Esler wrote:
>> If you are referring to Snort's ip reputation preprocessor, it's quite functional now.  Especially in inline mode.
> I was thinking Suricata. But have been watching Snort's/
> Problem there is as I understand blacklisting just lets you say block and don't process traffic? Is that right?

Blacklist means "block and don't process" (faster for engine), whitelist means "known good don't process" (again, faster for engine)

> What we *need* and are putting in Suricata is the ability to categorize. We classify IPs and domains on about 25 categories, and not al are blockable. Just info to add to a rule. So we'll have lookups for reputation in a rule like flowbits. 
> Is that something coming in Snort? It'd be very nice if that is the case, so we can distribute more data to both engines!

I don't comment on future capabilities, but people would be pretty silly to think we're sitting still.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Emerging-sigs mailing list