[Oisf-users] IP reputation and IP only rules
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Nov 7 14:37:42 UTC 2014
On Fri Nov 07 2014 at 12:44:47 PM Victor Julien <lists at inliniac.net> wrote:
> On 11/07/2014 12:31 PM, Michał Purzyński wrote:
> > And you are right. There's a subtle difference. You used any or ip/32
> > and I used subnet. I've just changed the rule to say
> >
> > alertip any any -> any any (msg:"test"; iprep:src,CnC,>,70; sid:1;
> rev:1;)
> >
> > 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet
> > payload, 0 inspect application layer, 0 are decoder event only
> >
> > Thanks! Maybe it should lang in the documentation, that IP only rules
> > have to be "any" or single IP.
>
> Do you have negation in the variables? E.g. something like HOME_NET:
> "[10.0.0.0/8,!10.0.10.0/16]"
>
>
HOME_NET: "[
192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,63.245.208.0/20,224.0.0.0/4,!$PROXY_SERVERS
]"
REALLY_EXTERNAL_NET: "!$HOME_NET"
So yeah I do. I've changed the rule to any any -> any any and that should
do, the iprep keyword takes are about the direction anyway.
> IIRC negation in the address fields cause a sig to be rejected for
> 'IP-only'.
>
>
Good to know. Thanks! :-)
> Cheers,
> Victor
>
>
> >
> >
> > On Fri Nov 07 2014 at 10:42:33 AM Victor Julien <lists at inliniac.net
> > <mailto:lists at inliniac.net>> wrote:
> >
> > On 11/06/2014 10:22 PM, Michał Purzyński wrote:
> > > Configured IP reputation today, gave Suricata around 1000 IP to
> watch.
> > > The manual says I've got to create an "ip-only" rule for maximum
> > > performance, so there you go - my proud rule.
> > >
> > > alert ip $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"IPREP
> > internal
> > > host talking to CnC server"; iprep:dst,CnC,>,60; sid:1; rev:1;)
> > >
> > > $REALLY_EXTERNAL_NET is well... what it says - Internet. Outside
> > world.
> > >
> > > To my surprise Suricata started and told me there are 0 ip-only
> rules.
> > >
> > > Terrible performance and huge packet loss confirmed it - something
> is
> > > clearly wrong. Without this rule I have next to none packet loss,
> with
> > > it around 40% or more.
> > >
> > > How should the IP-only rule for reputation list look like?
> > >
> >
> > I've done a few tests, but I can reproduce your issue:
> >
> > alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,>,9;
> sid:1;
> > rev:1;)
> > alert tcp any any -> any any (msg:"test"; iprep:src,BadHosts,<,11;
> > sid:2; rev:1;)
> > alert ip [1.2.3.4] any -> [5.6.7.8] any (msg:"test";
> > iprep:src,BadHosts,<,11; sid:3; rev:1;)
> >
> > [30293] 7/11/2014 -- 10:39:52 - (detect.c:2613) <Info>
> > (SigAddressPrepareStage1) -- 3 signatures processed. 3 are IP-only
> > rules, 0 are inspecting packet payload, 0 inspect application layer,
> 0
> > are decoder event only
> >
> > --
> > ------------------------------__---------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/__victorjulien.asc
> > <http://www.inliniac.net/victorjulien.asc>
> > ------------------------------__---------------
> >
> > _________________________________________________
> > Suricata IDS Users mailing list:
> > oisf-users at __openinfosecfoundation.org
> > <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/__support/ <http://suricata-ids.org/support/
> >
> > List:
> > https://lists.__openinfosecfoundation.org/__mailman/
> listinfo/oisf-users
> > <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Training now available: http://suricata-ids.org/__training/
> > <http://suricata-ids.org/training/>
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141107/41d7039f/attachment-0002.html>
More information about the Oisf-users
mailing list