[Oisf-users] iprep rules / configuration
mike tancsa
mike at sentex.net
Tue Nov 19 18:41:40 UTC 2019
Hi all,
New user here. I am not sure I am getting the usage / notional purpose
of ip reputation lists right. My goal is to get a high level alert,
every time I see an endpoint to talk certain black listed IPs. I have
the following custom rule
alert ip any any -> any any (msg:"IPREP internal host talking to
blacklistedIP"; iprep:any,firehol,>,90; sid:100003; rev:1;)
I have the following in surcata.yml
# grep -A4 iprep /usr/local/etc/suricata/suricata.yaml
reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
default-reputation-path: /usr/local/etc/suricata/iprep
reputation-files:
- firehol.list
# cat /usr/local/etc/suricata/iprep/categories.txt
1,firehol,firehol-Known Bad hosts should be blocked
# wc /usr/local/etc/suricata/iprep/firehol.list
2741 2741 58434 /usr/local/etc/suricata/iprep/firehol.list
# tail -1 /usr/local/etc/suricata/iprep/firehol.list
192.168.178.2,1,126
I am doing a kill -USR2 `cat /var/run/suricata.pid`. Its Suricata
5.0.0-rc1 from the FreeBSD ports on RELENG12.1. suricata-update and
suricata -T all show no syntax errors. But the rule is not being hit for
some reason.
Generating some traffic to the "bad" host only generates a flow record,
but no alert record
% tail -f eve-2019-11-19-13:00.json | jq -c
'select(.dest_ip=="192.168.178.2")'
{"timestamp":"2019-11-19T13:28:38.001364-0500","flow_id":1425743185131937,"in_iface":"igb1","event_type":"flow","src_ip":"10.20.5.7","src_port":21487,"dest_ip":"192.168.178.2","dest_port":5000,"proto":"TCP","flow":{"pkts_toserver":5,"pkts_toclient":3,"bytes_toserver":431,"bytes_toclient":206,"start":"2019-11-19T13:27:35.670113-0500","end":"2019-11-19T13:27:35.686332-0500","age":0,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"13","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
Thanks!
---Mike
More information about the Oisf-users
mailing list