And you are right. There's a subtle difference. You used any or ip/32 and I used subnet. I've just changed the rule to say<div>
<p class="p1"><span class="s1">alert</span><span class="s2"> ip any any -> any any (msg:"test"; </span><span class="s1">iprep:src,CnC,</span><span class="s2">>,70; </span><span class="s1">sid:1</span><span class="s2">; </span><span class="s1">rev:1</span><span class="s2">;</span><span class="s3">)</span></p></div><div>
<p class="p1"><span class="s1">1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only</span></p><p class="p1">Thanks! Maybe it should lang in the documentation, that IP only rules have to be "any" or single IP.</p></div><br><div class="gmail_quote">On Fri Nov 07 2014 at 10:42:33 AM Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 11/06/2014 10:22 PM, Michał Purzyński wrote:<br>
> Configured IP reputation today, gave Suricata around 1000 IP to watch.<br>
> The manual says I've got to create an "ip-only" rule for maximum<br>
> performance, so there you go - my proud rule.<br>
><br>
> alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal<br>
> host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)<br>
><br>
> $REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.<br>
><br>
> To my surprise Suricata started and told me there are 0 ip-only rules.<br>
><br>
> Terrible performance and huge packet loss confirmed it - something is<br>
> clearly wrong. Without this rule I have next to none packet loss, with<br>
> it around 40% or more.<br>
><br>
> How should the IP-only rule for reputation list look like?<br>
><br>
<br>
I've done a few tests, but I can reproduce your issue:<br>
<br>
alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,>,9; sid:1;<br>
rev:1;)<br>
alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,<,11;<br>
sid:2; rev:1;)<br>
alert ip [1.2.3.4] any -> [5.6.7.8] any (msg:"test";<br>
iprep:src,BadHosts,<,11; sid:3; rev:1;)<br>
<br>
[30293] 7/11/2014 -- 10:39:52 - (detect.c:2613) <Info><br>
(SigAddressPrepareStage1) -- 3 signatures processed. 3 are IP-only<br>
rules, 0 are inspecting packet payload, 0 inspect application layer, 0<br>
are decoder event only<br>
<br>
--<br>
------------------------------<u></u>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/<u></u>victorjulien.asc</a><br>
------------------------------<u></u>---------------<br>
<br>
______________________________<u></u>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<u></u>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<u></u>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<u></u>openinfosecfoundation.org/<u></u>mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/<u></u>training/</a></blockquote></div>