[Oisf-users] Suricata and IP Reputation
Peter Manev
petermanev at gmail.com
Wed May 31 08:17:28 UTC 2017
On Tue, May 30, 2017 at 12:46 PM, Kerry Milestone
<Kerry.Milestone at ed.ac.uk> wrote:
> Hello,
>
> you'll need to generate the categories.txt file yourself. I use an
> automated script which goes and builds all rep files based on a list and
> from log parsing other services. This is loaded with startup.
>
> So, you'll have cat.txt file which looks a bit like this:
>
> 1,Bad_Things,The Bad Things
> 2,More_Bad,More Bad but perhaps no so bad things
> 3,Naughty,Things which are bad, and being very naughty
> 4,Bright, Things which stand out like a light bulb
>
> Then in your reputation.list you'll have, and you decide the priorities,
> similar to this list which I again recreate dynamically every n moments.
>
> a.a.a.a,1,10
> a.a.b.b,1,10
> a.a.a.b,4,20
> a.b.a.a,4,15
>
> The reputation.list is reloaded when hitting suricata with USR2 signal
> but the categories isn't.
>
> The rules look something like this:
>
> alert ip $MONITOR_HOME any -> any any (msg:"The Bad Things";
> flow:to_server; iprep:dst,Bad_Things,=,10; sid:12345; rev:1;)
> alert ip $MONITOR_HOME any -> any any (msg:"More Bad"; flow:to_server;
> iprep:dst,More_Bad,=,10; sid:12346; rev:1;)
> alert ip $MONITOR_HOME any -> any any (msg:"Bright like a moth to a
> lightbulb"; flow:to_server; iprep:dst,Bright,>,15; sid:12347; rev:1;)
> alert ip $MONITOR_HOME any -> any any (msg:"Bright like a moth to a
> lesser lightbulb"; flow:to_server; iprep:dst,Bright,=,15; sid:12348; rev:1;)
>
> So, the Talos feed will need to be parsed into talos.list, each line
> into "<ip>,<category>,<reputation score>"
>
> ie
>
> a.c.d.e/16,Talos,10
> b.c.d.e,Talos,10
>
> and the cat.txt will look like
> 1,Talos,Talos Feed
>
> and a rule somewhere loaded
>
> alert ip $MONITOR_HOME any -> any any (msg:"Talos Score 10";
> flow:to_server; iprep:dst,Talos,=,10; sid:12349; rev:1;)
>
>
>
> Things to look out for in your logs:
>
> [20542] 24/3/2017 -- 15:01:40 - (reputation.c:479) <Error>
> (SRepLoadFileFromFD) -- [ERRCODE: SC_ERR_NO_REPUTATION(224)] - failed to
> get a host, increase host.memcap
>
> which means what it says when you have a huge list, it'll hit this.
>
>
> [30098] 5/4/2017 -- 12:18:32 - (detect-iprep.c:297) <Error>
> (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown
> iprep category "TheBotNets"
> [30098] 5/4/2017 -- 12:18:32 - (detect.c:367) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert ip $MONITOR_HOME any -> any any (msg:"Internal
> host talking to Random Botnet of Doom"; flow:to_server;
> iprep:dst,TheBotNets,=,10; sid:12350; rev:1;)" from file iprep.rules at
> line 22
>
> Which again as it suggests - needs an entry in categories.
>
>
> And make sure all your rules have unique SIDs to load them initially.
>
>
If you need to avoid custom SID allocation conflicts you can have an
idea from here as well -
http://doc.emergingthreats.net/bin/view/Main/SidAllocation
Regards,
Peter Manev
More information about the Oisf-users
mailing list