Snort & IP Blocklist & StrikeBack



  • Does anyone know if it is beneficial to use IP Blocklist and StrikeBack when you also have Snort running? It seems to me that Snort already has rules in place to handle most bad things. I am using 2.0 RC3 and this system protects a corporate network. I do not want to add overhead and instability to the system if these 2 packages won't add any extra value for our type of environment.

    Btw, I have nearly every Snort category enabled with Auto Block on for 7 days. It catches a fair amount of bad connections but have yet to encounter a false positive. I guess it is because I don't turn on the ShellCode rules. I find these rules heavily prone to false positives and am not entirely convinced most matched items are really that bad.

    Thanks.



  • The 3 packages does something a little different. Snort is IDS and can block if a fingerprint match. IP-Blocklist is just that, it blocks IPs. StrikeBack well, i dont know much about it since there are some bugs getting it to autostart..I ended up removing it from my system.

    I'm not sure if you need strikeback, but IP-Blocklist can't hurt. I use CountryBlock instead of IP-Blocklist. Almost the same thing but i'm only looking to block certain countries. With IP-BL, you can put country ranges in it and add kind of list.

    I have to do more reading about strikeback, i like the idea but i can't remember if it does this automatic.. If not, its not worth it then. Because you can do manually after checking your snort log.



  • I use Country Block too. it works great. I just wanted to block the main spammers and its top 10 list is perfect.

    I may not bother with IP Blocklist since I don't see any added value for our network.

    I agree on StrikeBack. If it doesn't auto block or auto something then I don't see the use. I don't have all day to monitor logs and manually block suspicious connections. I also like the idea of it but need to read more also.



  • @ Cino

    • Whats the requirement of IP-Blocklist? (RAM), Can we uninstall it too in 2.0? And also, can we add exemption to this?

    jigp



  • @jigpe:

    @ Cino

    • Whats the requirement of IP-Blocklist? (RAM), Can we uninstall it too in 2.0? And also, can we add exemption to this?

    jigp

    i'm not really sure on the ram and there i believe there is a whitelist function for it… there is a thread  just for IP-Blocklist under the Packages board. You can install and uninstall with no issues under 2.0


Locked