[Oisf-users] IP reputation and IP only rules

Victor Julien lists at inliniac.net
Fri Nov 7 11:44:34 UTC 2014 

On 11/07/2014 12:31 PM, Michał Purzyński wrote:
> And you are right. There's a subtle difference. You used any or ip/32
> and I used subnet. I've just changed the rule to say
> 
> alertip any any -> any any (msg:"test"; iprep:src,CnC,>,70; sid:1; rev:1;)
> 
> 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet
> payload, 0 inspect application layer, 0 are decoder event only
> 
> Thanks! Maybe it should lang in the documentation, that IP only rules
> have to be "any" or single IP.

Do you have negation in the variables? E.g. something like HOME_NET:
"[10.0.0.0/8,!10.0.10.0/16]"

IIRC negation in the address fields cause a sig to be rejected for
'IP-only'.

Cheers,
Victor


> 
> 
> On Fri Nov 07 2014 at 10:42:33 AM Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 11/06/2014 10:22 PM, Michał Purzyński wrote:
>     > Configured IP reputation today, gave Suricata around 1000 IP to watch.
>     > The manual says I've got to create an "ip-only" rule for maximum
>     > performance, so there you go - my proud rule.
>     >
>     > alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP
>     internal
>     > host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)
>     >
>     > $REALLY_EXTERNAL_NET is well... what it says - Internet. Outside
>     world.
>     >
>     > To my surprise Suricata started and told me there are 0 ip-only rules.
>     >
>     > Terrible performance and huge packet loss confirmed it - something is
>     > clearly wrong. Without this rule I have next to none packet loss, with
>     > it around 40% or more.
>     >
>     > How should the IP-only rule for reputation list look like?
>     >
> 
>     I've done a few tests, but I can reproduce your issue:
> 
>     alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,>,9; sid:1;
>     rev:1;)
>     alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,<,11;
>     sid:2; rev:1;)
>     alert ip [1.2.3.4] any -> [5.6.7.8] any (msg:"test";
>     iprep:src,BadHosts,<,11; sid:3; rev:1;)
> 
>     [30293] 7/11/2014 -- 10:39:52 - (detect.c:2613) <Info>
>     (SigAddressPrepareStage1) -- 3 signatures processed. 3 are IP-only
>     rules, 0 are inspecting packet payload, 0 inspect application layer, 0
>     are decoder event only
> 
>     --
>     ------------------------------__---------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/__victorjulien.asc
>     <http://www.inliniac.net/victorjulien.asc>
>     ------------------------------__---------------
> 
>     _________________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at __openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/__support/ <http://suricata-ids.org/support/>
>     List:
>     https://lists.__openinfosecfoundation.org/__mailman/listinfo/oisf-users
>     <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
>     Training now available: http://suricata-ids.org/__training/
>     <http://suricata-ids.org/training/>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list