Hi @syoc ,
Thank you for answering. At this point I have read a lot of documentation (including the official doc), but there are parts or details that are not clear to me. I wish I could do it on my own, but so far I keep failing. That is why I am asking for help here.
Having IPREP working would be great! I do think it is the right engine to be used. I have tried everything I can, with many different combinations and also tried recommendations from Suricata and SELKS teams, but it looks like there is a bug and now I am stuck. So I decided to try Peter’s advice from here:
Apparently datasets can be used for the same purpose. The mechanism is similar to IPREP. So I am trying hard to have it operational, but again I’m facing errors due to my lack of knowledge.
Here are the last errors I got. Please remember that I am running Suricata as part of SELKS suite, so I must enter rules via Scirius or I might lose them after a Scirius restart.
* **SC_ERR_DATASET** : dataset test-badip not defined
* **SC_ERR_INVALID_SIGNATURE** : failed to set up dataset 'test-badip'.
* **SC_ERR_INVALID_SIGNATURE** : error parsing signature "alert ip any any -> any any (msg:"TEST Bad IP"; ipv4.hdr; dataset:isset,test-badip; sid:10; rev:1;) "
* **SC_ERR_INVALID_SIGNATURE** : error parsing signature "alert ip any any -> any any (msg:"TEST Bad GeoIP"; geoip:RU,CN,KR,KP,UA; sid:11; rev:1;)"
I also tried to add a dataset as described here, from another Suricata forum post, but failed as well.
* **SC_ERR_DATASET** : dataset dns-seen not defined
* **SC_ERR_INVALID_SIGNATURE** : failed to set up dataset 'dns-seen'.
* **SC_ERR_INVALID_SIGNATURE** : error parsing signature "alert dns any any -> any any (msg: "dns list test"; dns.query; dataset:isset,dns-seen; sid:123; rev:1;)"
I really appreciate if you or somebody else could help me.
Thank you