Thank you for continue researching this issue. I will try filtering the IP lists and share feedback later.
Quick question. I am using scirius-iprep.list plus a custom black list as well, as described here. Per your recommendation, I am assuming that I need to split both lists, right?
Also as a side report: Even after I defined a custom path for all the iprep files, and I moved scirius-iprep.list to the new location, the same file it’s being created automatically in the old path. Current config can be found in the link provided.
Old path: /etc/suricata/rules/
New path: /etc/suricata/rules/iprep/
I am not sure if Suricata is reading the scirius-iprep.list stored in the new path, as the most recent date belongs to the file in the old path, so I will split both for now, unless you advice something else.
I am happy to announce that the solution provided by @vjulien seems to be working fine !! I created separate lists for IPv4 and IPv6. The tests carried out so far shows that Suricata successfully blocks access to up to 36,000 items.
Comments:
I splitted my custom blacklist test-iprep.list into IPv4 and IPv6 and with that done, Suricata is reading and blocking test IP address in position 36000 within the list.
I did not apply the same solution to scirius-iprep.list and yet the issue seems to be resolved. I can confirm that scirius-iprep.list has both IPv4 and IPv6 addresses.
I want to thank you all for attending and focusing on my problem and for providing a solution that works in such a short time.
For now I will be using the workaround, which consist on separate IPv4 and IPv6 addresses for the blacklists. Soon I will apply the latest Suricata updates and that should be the final solution.
Before closing this thread, I have another question. Does Suricata actually has an engine similar to IPREP, but designed for domains instead of IPs? Something like DNSREP . The goal would be to have IPs blacklists and domains blacklists, to massively block access, instead of creating separate rules for each domain, like some examples I have seen for sites like Facebook.
I got the response from @pevma . It looks like DATAREP should be option to block domains given a blacklist. I will start testing this engine really soon, now that IPREP is working fine. Last test was successfully completed with more than 70200 items in a blacklist.
!! I created separate lists for IPv4 and IPv6. The tests carried out so far shows that Suricata successfully blocks access to up to 36,000 items.
. The goal would be to have IPs blacklists and domains blacklists, to massively block access, instead of creating separate rules for each domain, like some examples I have seen for sites like Facebook.