[Oisf-users] IP reputation and IP only rules

Victor Julien lists at inliniac.net
Fri Nov 7 09:42:11 UTC 2014

On 11/06/2014 10:22 PM, Michał Purzyński wrote:
> Configured IP reputation today, gave Suricata around 1000 IP to watch.
> The manual says I've got to create an "ip-only" rule for maximum
> performance, so there you go - my proud rule.
> alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal
> host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)
> $REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.
> To my surprise Suricata started and told me there are 0 ip-only rules.
> Terrible performance and huge packet loss confirmed it - something is
> clearly wrong. Without this rule I have next to none packet loss, with
> it around 40% or more.
> How should the IP-only rule for reputation list look like?

I've done a few tests, but I can reproduce your issue:

alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,>,9; sid:1;
alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,<,11;
sid:2; rev:1;)
alert ip [] any -> [] any (msg:"test";
iprep:src,BadHosts,<,11; sid:3; rev:1;)

[30293] 7/11/2014 -- 10:39:52 - (detect.c:2613) <Info>
(SigAddressPrepareStage1) -- 3 signatures processed. 3 are IP-only
rules, 0 are inspecting packet payload, 0 inspect application layer, 0
are decoder event only

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list