[Oisf-users] iprep rules / configuration

mike tancsa mike at sentex.net
Tue Nov 19 18:41:40 UTC 2019

Hi all,

New user here.  I am not sure I am getting the usage / notional purpose
of ip reputation lists right.  My goal is to get a high level alert,
every time I see an endpoint to talk certain black listed IPs. I have
the following custom rule

alert ip any any -> any any (msg:"IPREP internal host talking to
blacklistedIP"; iprep:any,firehol,>,90; sid:100003; rev:1;)

I have the following in surcata.yml

# grep -A4 iprep /usr/local/etc/suricata/suricata.yaml
reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
default-reputation-path: /usr/local/etc/suricata/iprep
 - firehol.list

# cat /usr/local/etc/suricata/iprep/categories.txt
1,firehol,firehol-Known Bad hosts should be blocked

# wc /usr/local/etc/suricata/iprep/firehol.list
    2741    2741   58434 /usr/local/etc/suricata/iprep/firehol.list

# tail -1 /usr/local/etc/suricata/iprep/firehol.list,1,126

I am doing a kill -USR2 `cat /var/run/suricata.pid`.  Its Suricata
5.0.0-rc1 from the FreeBSD ports on RELENG12.1. suricata-update and
suricata -T all show no syntax errors. But the rule is not being hit for
some reason.

Generating some traffic to the "bad" host only generates a flow record,
but no alert record

% tail -f eve-2019-11-19-13:00.json | jq -c




More information about the Oisf-users mailing list