[Emerging-Sigs] Snort, IP-Only Rules, Performance

Nathan nathan at packetmail.net
Mon Dec 10 04:04:30 HAST 2012


On 12/08/2012 01:58 PM, JJ Cummings wrote:
> If you are looking for bad ip addresses, use the reputation preprocessor, this is what it was designed for.  And even though it doesn't state explicitly, it works in IDS (passive) mode.  Simply maintain a list file with the bad ip addresses and use it (read blacklist).  You can even reload the list via a control socket rather than a full HUP of snort, purposely designed and built to allow for regular and recurring reloads of said list ( many ip reputation feeds update hourly for example )...

Thanks JJ for the information and help.

Thanks,
Nathan


More information about the Emerging-sigs mailing list