[Oisf-users] Suricata and IP Reputation

Tue May 30 09:46:26 UTC 2017

Hello,

you'll need to generate the categories.txt file yourself.  I use an
automated script which goes and builds all rep files based on a list and
from log parsing other services.  This is loaded with startup.

So, you'll have cat.txt file which looks a bit like this:

1,Bad_Things,The Bad Things
2,More_Bad,More Bad but perhaps no so bad things
3,Naughty,Things which are bad, and being very naughty
4,Bright, Things which stand out like a light bulb

Then in your reputation.list you'll have, and you decide the priorities,
similar to this list which I again recreate dynamically every n moments.

a.a.a.a,1,10
a.a.b.b,1,10
a.a.a.b,4,20
a.b.a.a,4,15

The reputation.list is reloaded when hitting suricata with USR2 signal
but the categories isn't.

The rules look something like this:

alert ip $MONITOR_HOME any -> any any (msg:"The Bad Things";
flow:to_server; iprep:dst,Bad_Things,=,10; sid:12345; rev:1;)
alert ip $MONITOR_HOME any -> any any (msg:"More Bad"; flow:to_server;
iprep:dst,More_Bad,=,10; sid:12346; rev:1;)
alert ip $MONITOR_HOME any -> any any (msg:"Bright like a moth to a
lightbulb"; flow:to_server; iprep:dst,Bright,>,15; sid:12347; rev:1;)
alert ip $MONITOR_HOME any -> any any (msg:"Bright like a moth to a
lesser lightbulb"; flow:to_server; iprep:dst,Bright,=,15; sid:12348; rev:1;)

So, the Talos feed will need to be parsed into talos.list, each line
into "<ip>,<category>,<reputation score>"

ie

a.c.d.e/16,Talos,10
b.c.d.e,Talos,10

and the cat.txt will look like
1,Talos,Talos Feed

and a rule somewhere loaded

alert ip $MONITOR_HOME any -> any any (msg:"Talos Score 10";
flow:to_server; iprep:dst,Talos,=,10; sid:12349; rev:1;)

Things to look out for in your logs:

[20542] 24/3/2017 -- 15:01:40 - (reputation.c:479) <Error>
(SRepLoadFileFromFD) -- [ERRCODE: SC_ERR_NO_REPUTATION(224)] - failed to
get a host, increase host.memcap

which means what it says when you have a huge list, it'll hit this.

[30098] 5/4/2017 -- 12:18:32 - (detect-iprep.c:297) <Error>
(DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown
iprep category "TheBotNets"
[30098] 5/4/2017 -- 12:18:32 - (detect.c:367) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
parsing signature "alert ip $MONITOR_HOME any -> any any (msg:"Internal
host talking to Random Botnet of Doom"; flow:to_server;
iprep:dst,TheBotNets,=,10; sid:12350; rev:1;)" from file iprep.rules at
line 22

Which again as it suggests - needs an entry in categories.

And make sure all your rules have unique SIDs to load them initially.

On 21/05/17 21:31, Stanford Prescott wrote:
> I'm trying to figure out how to use the "iprep" features with Suricata.
> I have been a snort user and am familiar with how Snort uses the IP
> reputation blacklist provided by Talos Intelligence. Suricata seems to
> be a bit different in how it uses IP reputation lists.
> 
> 1.) Is the categories.txt file defined in suricata.yaml with 
> reputation-categories-file: /etc/suricata/iprep/categories.txt
> available to download or is it dynamically created with use of the IP
> reputation feature?
> 
> 2.) Is the reputation.list file defined in the yaml file with 
> 
> /reputation-files:/
> / - reputation.list/
> 
> available to download in the csv format that the documentation says the
> files should be i.e.  <ip>,<category>,<reputationscore>
> 
> Also a related question...when I attempt to add and IP based rule file
> such as the ET compromised.rules to use with Suricata, I get error
> messages for all the rules in compromised.rules saying they are
> duplicate signatures. Do I not have something configured correctly to
> use those ip based rules?

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.