[Oisf-users] Suricata - Equivalent of Blacklist in Snort?

Victor Julien lists at inliniac.net
Mon Aug 29 15:37:00 UTC 2016


On 29-08-16 01:26, Brandon Reeves wrote:
> We are attempting to move from Snort to Suricata. We have our install
> down, got rules the way we want them and everything seems to be working
> well. Our last step is more complex. We have a number of Snort Blacklist
> files that we maintain. Depending on the blacklist file, an alert may be
> created or the site / IP may be blocked completely.
> 
> 
> Can someone explain how we can translate the blacklist files from snort
> into a suricata capability? 
> 
> 
> We have looked into Suricata IP reputation, however we are unsure how to
> start there. We have read the documents regarding file formats and how
> to write a rule, but we are unsure how to get from a single blacklist to
> the new suricata reputation system. Then we need to understand how to
> block certain IP addresses that are within those lists.

To use the ip rep functionality you would create a category and then add
ip's that have a non-zero score in that category:

Your categories file would be:
1,BadHosts,Known bad hosts

Your rep file:
1.2.3.4,1,1
4.3.2.1,1,1

This means that both ip addresses have a score of 1 in category 1.

See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationFormat

Then add a rule:

drop ip any any -> any any (msg:"Blacklisted"; iprep:src,BadHosts,=,1;
sid:1; rev:1;)

See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules

You'll have to enable the files in your config. See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationConfig

> 
> FYI, this is my first post here so be gentle if this has been discussed
> prior.

Welcome!

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list