[Oisf-users] IP reputation and IP only rules
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Nov 7 11:31:34 UTC 2014
And you are right. There's a subtle difference. You used any or ip/32 and I
used subnet. I've just changed the rule to say
alert ip any any -> any any (msg:"test"; iprep:src,CnC,>,70; sid:1; rev:1;)
1 signatures processed. 1 are IP-only rules, 0 are inspecting packet
payload, 0 inspect application layer, 0 are decoder event only
Thanks! Maybe it should lang in the documentation, that IP only rules have
to be "any" or single IP.
On Fri Nov 07 2014 at 10:42:33 AM Victor Julien <lists at inliniac.net> wrote:
> On 11/06/2014 10:22 PM, Michał Purzyński wrote:
> > Configured IP reputation today, gave Suricata around 1000 IP to watch.
> > The manual says I've got to create an "ip-only" rule for maximum
> > performance, so there you go - my proud rule.
> >
> > alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP internal
> > host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)
> >
> > $REALLY_EXTERNAL_NET is well... what it says - Internet. Outside world.
> >
> > To my surprise Suricata started and told me there are 0 ip-only rules.
> >
> > Terrible performance and huge packet loss confirmed it - something is
> > clearly wrong. Without this rule I have next to none packet loss, with
> > it around 40% or more.
> >
> > How should the IP-only rule for reputation list look like?
> >
>
> I've done a few tests, but I can reproduce your issue:
>
> alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,>,9; sid:1;
> rev:1;)
> alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,<,11;
> sid:2; rev:1;)
> alert ip [1.2.3.4] any -> [5.6.7.8] any (msg:"test";
> iprep:src,BadHosts,<,11; sid:3; rev:1;)
>
> [30293] 7/11/2014 -- 10:39:52 - (detect.c:2613) <Info>
> (SigAddressPrepareStage1) -- 3 signatures processed. 3 are IP-only
> rules, 0 are inspecting packet payload, 0 inspect application layer, 0
> are decoder event only
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141107/5f358021/attachment-0002.html>
More information about the Oisf-users
mailing list