[Oisf-users] IP reputation and IP only rules
Victor Julien
lists at inliniac.net
Fri Nov 7 09:42:11 UTC 2014
On 11/06/2014 10:22 PM, Michał Purzyński wrote:
> Configured IP reputation today, gave Suricata around 1000 IP to watch.
> The manual says I've got to create an "ip-only" rule for maximum
> performance, so there you go - my proud rule.
>
> alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal
> host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)
>
> $REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.
>
> To my surprise Suricata started and told me there are 0 ip-only rules.
>
> Terrible performance and huge packet loss confirmed it - something is
> clearly wrong. Without this rule I have next to none packet loss, with
> it around 40% or more.
>
> How should the IP-only rule for reputation list look like?
>
I've done a few tests, but I can reproduce your issue:
alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,>,9; sid:1;
rev:1;)
alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,<,11;
sid:2; rev:1;)
alert ip [1.2.3.4] any -> [5.6.7.8] any (msg:"test";
iprep:src,BadHosts,<,11; sid:3; rev:1;)
[30293] 7/11/2014 -- 10:39:52 - (detect.c:2613) <Info>
(SigAddressPrepareStage1) -- 3 signatures processed. 3 are IP-only
rules, 0 are inspecting packet payload, 0 inspect application layer, 0
are decoder event only
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list