[Oisf-users] Suricata - Equivalent of Blacklist in Snort?

Brandon Reeves brandonreeves at outlook.com
Sun Aug 28 23:26:51 UTC 2016

We are attempting to move from Snort to Suricata. We have our install down, got rules the way we want them and everything seems to be working well. Our last step is more complex. We have a number of Snort Blacklist files that we maintain. Depending on the blacklist file, an alert may be created or the site / IP may be blocked completely.

Can someone explain how we can translate the blacklist files from snort into a suricata capability?

We have looked into Suricata IP reputation, however we are unsure how to start there. We have read the documents regarding file formats and how to write a rule, but we are unsure how to get from a single blacklist to the new suricata reputation system. Then we need to understand how to block certain IP addresses that are within those lists.

FYI, this is my first post here so be gentle if this has been discussed prior.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160828/c4c0acdc/attachment.html>

More information about the Oisf-users mailing list