Handle ET 3CORESec Poor Reputation IP groups rules

Hi.

What is the best way to deal with Poor Reputation rules. It is expected IPs are going to continually probe any open ports. Right now I am adding them to a list like this:

suppress gen_id 1, sig_id 2403379, track by_dst, ip 192.168.90.10
suppress gen_id 1, sig_id 2403384, track by_dst, ip 192.168.90.10
suppress gen_id 1, sig_id 2403377, track by_dst, ip 192.168.90.10

I don’t want to disable the rule as it would be interesting if there are any connections out to Poor Reputation ip addresses.

thanks,
Geoff

Hi,

(Disclaimer: I’m not a rule writer, but…)

Have you tried using a threshold config file where you’d add those?

reference: 12.2. Global-Thresholds — Suricata 7.0.3-dev documentation

Hi.

Looking at my event log I am not sure a threshold alert will make any difference. I normally get a single connection from those IP addresses in the Poor Reputation group.

Right now it looks like I need to create a matching suppress rule for every ET poor reputation ip group rules.

thanks!!

What are you using to update the rules? I wonder if you can use modify.conf to modify the rules to look for outbound instead of inbound?

for Suricata-Update this might be something like this (untested)

re: "^alert ip (.*) any -> \$HOME_NET any (msg:\"ET 3CORESec" "alert ip \$HOME_NET any -> \\1 any (msg:\"ET 3CORESec"

Yes, something like that is an interesting solution. I will look at it in more detail and report back.
thank you for the direction.