[Oisf-users] IP reputation and IP only rules
Michał Purzyński
michalpurzynski1 at gmail.com
Thu Nov 6 21:22:58 UTC 2014
Configured IP reputation today, gave Suricata around 1000 IP to watch. The
manual says I've got to create an "ip-only" rule for maximum performance,
so there you go - my proud rule.
alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal
host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)
$REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.
To my surprise Suricata started and told me there are 0 ip-only rules.
Terrible performance and huge packet loss confirmed it - something is
clearly wrong. Without this rule I have next to none packet loss, with it
around 40% or more.
How should the IP-only rule for reputation list look like?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141106/3f4985ad/attachment.html>
More information about the Oisf-users
mailing list