[Oisf-users] Suricata and IP Reputation

Stanford Prescott stan.prescott at gmail.com
Sun May 21 20:31:54 UTC 2017

I'm trying to figure out how to use the "iprep" features with Suricata. I
have been a snort user and am familiar with how Snort uses the IP
reputation blacklist provided by Talos Intelligence. Suricata seems to be a
bit different in how it uses IP reputation lists.

1.) Is the categories.txt file defined in suricata.yaml with
reputation-categories-file: /etc/suricata/iprep/categories.txt
available to download or is it dynamically created with use of the IP
reputation feature?

2.) Is the reputation.list file defined in the yaml file with

* - reputation.list*

available to download in the csv format that the documentation says the
files should be i.e.  <ip>,<category>,<reputation score>

Also a related question...when I attempt to add and IP based rule file such
as the ET compromised.rules to use with Suricata, I get error messages for
all the rules in compromised.rules saying they are duplicate signatures. Do
I not have something configured correctly to use those ip based rules?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170521/fab386a5/attachment.html>

More information about the Oisf-users mailing list