[Oisf-users] Suricata - Equivalent of Blacklist in Snort?
Victor Julien
lists at inliniac.net
Mon Aug 29 15:37:00 UTC 2016
On 29-08-16 01:26, Brandon Reeves wrote:
> We are attempting to move from Snort to Suricata. We have our install
> down, got rules the way we want them and everything seems to be working
> well. Our last step is more complex. We have a number of Snort Blacklist
> files that we maintain. Depending on the blacklist file, an alert may be
> created or the site / IP may be blocked completely.
>
>
> Can someone explain how we can translate the blacklist files from snort
> into a suricata capability?
>
>
> We have looked into Suricata IP reputation, however we are unsure how to
> start there. We have read the documents regarding file formats and how
> to write a rule, but we are unsure how to get from a single blacklist to
> the new suricata reputation system. Then we need to understand how to
> block certain IP addresses that are within those lists.
To use the ip rep functionality you would create a category and then add
ip's that have a non-zero score in that category:
Your categories file would be:
1,BadHosts,Known bad hosts
Your rep file:
1.2.3.4,1,1
4.3.2.1,1,1
This means that both ip addresses have a score of 1 in category 1.
See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationFormat
Then add a rule:
drop ip any any -> any any (msg:"Blacklisted"; iprep:src,BadHosts,=,1;
sid:1; rev:1;)
See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules
You'll have to enable the files in your config. See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationConfig
>
> FYI, this is my first post here so be gentle if this has been discussed
> prior.
Welcome!
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list