[Emerging-Sigs] IP Rules Direction

Joel Esler jesler at sourcefire.com
Mon Oct 31 14:27:08 EST 2011


On Oct 31, 2011, at 2:53 PM, Matthew Jonkman wrote:
> On Oct 31, 2011, at 2:47 PM, Joel Esler wrote:
> 
>> If you are referring to Snort's ip reputation preprocessor, it's quite functional now.  Especially in inline mode.
>> 
> 
> I was thinking Suricata. But have been watching Snort's/
> 
> Problem there is as I understand blacklisting just lets you say block and don't process traffic? Is that right?
> 

Blacklist means "block and don't process" (faster for engine), whitelist means "known good don't process" (again, faster for engine)

> What we *need* and are putting in Suricata is the ability to categorize. We classify IPs and domains on about 25 categories, and not al are blockable. Just info to add to a rule. So we'll have lookups for reputation in a rule like flowbits. 
> 
> Is that something coming in Snort? It'd be very nice if that is the case, so we can distribute more data to both engines!

I don't comment on future capabilities, but people would be pretty silly to think we're sitting still.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Emerging-sigs mailing list