<p class="p1"><span class="s1">Configured IP reputation today, gave Suricata around 1000 IP to watch. The manual says I've got to create an "ip-only" rule for maximum performance, so there you go - my proud rule.</span></p><p class="p1"><span class="s1">alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal host talking to CnC server"; </span>iprep:dst,CnC,>,60; sid:1; rev:1;)</p><p class="p1">$REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.</p><p class="p1">To my surprise Suricata started and told me there are 0 ip-only rules.</p><p class="p1">Terrible performance and huge packet loss confirmed it - something is clearly wrong. Without this rule I have next to none packet loss, with it around 40% or more.</p><p class="p1">How should the IP-only rule for reputation list look like?</p>