[Oisf-users] IP reputation and IP only rules

Michał Purzyński michalpurzynski1 at gmail.com
Thu Nov 6 21:22:58 UTC 2014

Configured IP reputation today, gave Suricata around 1000 IP to watch. The
manual says I've got to create an "ip-only" rule for maximum performance,
so there you go - my proud rule.

alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal
host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)

$REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.

To my surprise Suricata started and told me there are 0 ip-only rules.

Terrible performance and huge packet loss confirmed it - something is
clearly wrong. Without this rule I have next to none packet loss, with it
around 40% or more.

How should the IP-only rule for reputation list look like?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141106/3f4985ad/attachment.html>

More information about the Oisf-users mailing list