Snort: Easy way to use external IP blocklists and dynamically update them



  • Hi

    I'm aware that there are some useful IP blacklists maintained by different organisations on the web.  See, for example: http://www.malwaredomains.com/

    Is there a convenient way to set up Snort to fetch those and dynamically update them please?

    I can see that Snort supports IP lists, and that the default rules allow those to be fetched and updated (e.g. it's displaying "emerging-compromised-ips.txt" at the moment as a list being blocked).  However, can external lists be fetched and added easily please?

    There's a blog list here that attempts to do it, but it's not "out of the box" and there's a lot of behind the scenes poking around (plus it's not on pfSense):  http://blog.securitymonks.com/2009/07/19/blacklisting-with-snort/

    Any guidance very gratefully received.

    Thanks,

    Andrew



  • Currently that feature is not included within the GUI code.  You could certainly do this manually with a shell script in a cron job.  Create a short shell script that uses curl to download the IP lists you want.  The files should be downloaded to /var/db/snort/iprep.  Once in that directory, the files will show up in the GUI on the IP LISTS tab where the emerging-compromised-ips.txt file is already showing.  You can then assign the file as an IP Blacklist or Whitelist.

    Whenever you update the files, you can send Snort a SIGHUP and it will do a live reload of the rules including the IP reputation lists.

    Bill



  • Many thanks.  I was looking to do this, and then stumbled across the pfBlockerNG package which seems to do the trick out of the box.

    The lists available here seem quite good and work well with pfBlockerNG:  https://blocklist.sigmaprojects.org

    Thanks for your help.


Log in to reply