[Oisf-users] IP Reputation
Phil Daws
uxbod at splatnix.net
Thu Nov 12 14:30:45 UTC 2015
Thank you.
----- On 11 Nov, 2015, at 21:28, CCAI CCIE ccaiccie at gmail.com wrote:
> Hello,
> I created a script to modify the file and append risk and a local rule to use
> the file,
> This is the script:
> #!/bin/bash
> declare -a ARRAY
> exec 10<&0
> exec < $1
> let count=0
> while read LINE; do
> ARRAY[$count]=$LINE
> ((count++))
> done
> echo "" > /etc/suricata/iprep/compromised-ips.txt
> z=1000010
> for f in "${ARRAY[@]}"; do
> echo "$f,1,100" >> /etc/suricata/iprep/compromised-ips.txt
> ((z++))
> done
> It basically takes the compromised-ips.txt and append risk level 1 with value
> 100
> In suricata.yaml
> reputation-categories-file: /etc/suricata/iprep/categories.txt
> default-reputation-path: /etc/suricata/iprep/
> reputation-files:
> - compromised-ips.txt
> In categories.txt
> 1,Bad,Bad Host
> In local.rules
> reject ip any any -> any any (msg:"IPREP High Risk"; iprep:any,Bad,>,99;
> sid:379000031; rev:1;)
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list