[Oisf-users] IP Reputation
CCAI CCIE
ccaiccie at gmail.com
Wed Nov 11 21:28:16 UTC 2015
Hello,
I created a script to modify the file and append risk and a local rule to
use the file,
This is the script:
#!/bin/bash
declare -a ARRAY
exec 10<&0
exec < $1
let count=0
while read LINE; do
ARRAY[$count]=$LINE
((count++))
done
echo "" > /etc/suricata/iprep/compromised-ips.txt
z=1000010
for f in "${ARRAY[@]}"; do
echo "$f,1,100" >> /etc/suricata/iprep/compromised-ips.txt
((z++))
done
It basically takes the compromised-ips.txt and append risk level 1 with
value 100
In suricata.yaml
reputation-categories-file: /etc/suricata/iprep/categories.txt
default-reputation-path: /etc/suricata/iprep/
reputation-files:
- compromised-ips.txt
In categories.txt
1,Bad,Bad Host
In local.rules
reject ip any any -> any any (msg:"IPREP High Risk"; iprep:any,Bad,>,99;
sid:379000031; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151111/0526519f/attachment-0002.html>
More information about the Oisf-users
mailing list