Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (8) →
Donald Francis
Donald Francis
Offline

Adjusting the time an IP is blocked

Resolved
0 votes
I know I ran across this in a config once before but now I cannot find it. But I would like to increase the time that an IP is on the blocklist.

Anyone recall which conf file that is in?
In Intrusion Detection and Prevention
Sunday, September 08 2013, 04:06 AM
Subscribe via email
Share this post:
Responses (8)

  • Accepted Answer

    Tim Burgess
    Tim Burgess
    Offline
    Tuesday, September 10 2013, 09:51 PM - #Permalink
    Resolved
    0 votes
    LOL, thanks I did try Google before posting but obviously didn't look very hard!
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, September 10 2013, 05:54 PM - #Permalink
    Resolved
    0 votes
    @Tim,
    I found it by googling "man snortsam.conf"
    The reply is currently minimized Show

  • Accepted Answer

    Donald Francis
    Donald Francis
    Offline
    Tuesday, September 10 2013, 12:50 PM - #Permalink
    Resolved
    0 votes
    Yes sir it sure is. I found it in documentation for SnortSam. Below is the link I found it at.

    http://doc.emergingthreats.net/bin/view/Main/SnortSamREADMEconf
    The reply is currently minimized Show

  • Accepted Answer

    Donald Francis
    Donald Francis
    Offline
    Tuesday, September 10 2013, 12:47 PM - #Permalink
    Resolved
    0 votes
    All I was trying to do was increase the time an IP would be blocked by the IPS.
    The reply is currently minimized Show

  • Accepted Answer

    Tim Burgess
    Tim Burgess
    Offline
    Tuesday, September 10 2013, 12:43 PM - #Permalink
    Resolved
    0 votes
    I've not come across that before - is it documented anywhere?
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, September 10 2013, 12:29 PM - #Permalink
    Resolved
    0 votes
    You can do that at IP level (or subnet) from snortsam.conf but not at rule level. If you are trying to block an IP completely why not just create a permanent firewall rule?
    The reply is currently minimized Show

  • Accepted Answer

    Donald Francis
    Donald Francis
    Offline
    Tuesday, September 10 2013, 01:17 AM - #Permalink
    Resolved
    0 votes
    I am not saying you are incorrect but I was indeed able to do it from editing the snortsam.conf file with the below entry. I have verified through the logs that is working as intended.


    atleast 127.0.0.1/32, 1 week
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Sunday, September 08 2013, 10:26 AM - #Permalink
    Resolved
    0 votes
    Assuming you are talking about the IPS, it is not in a conf file. It is contained within an individual rule, so you'd need to find and edit the rule.
    The reply is currently minimized Show
Your Reply