Suricata IP Reputation / Blacklisting

Hacker7 · February 10, 2022, 11:52am

hi ,
I am trying to alert / ignore traffic from a list of blacklisted IP
I am using IP Reputation mentioned in docs

reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
default-reputation-path: /usr/local/etc/suricata/iprep
reputation-files:
 - reputation.list

My categories.txt

1,BadHosts,Known bad hosts

My Reputation List

10.0.0.1,1,1
10.0.0.2,1,100

I tried value 1 and 100 , it doesn’t affect , I can see this IP in eve.json
Here I want to know that do i need to create rules also using iprep ??
or what’s wrong

suricatalfon · February 10, 2022, 12:01pm

Hi,

I think you are missing the rules where to indicate the value of reputation. In my case it is: 80

alert ip any any -> any any (msg:"IPREP - Blocklist IP";iprep:any,Blocklist,>,80;sid:40004;rev:1;)

Hacker7 · February 10, 2022, 12:58pm

Thanks bro , it worked

Topic		Replies	Views
Trusted IP's Where a put Help	1	598	October 24, 2020
Suricata on AWS network firewall Help ips , suricata	0	704	September 24, 2022
Handle ET 3CORESec Poor Reputation IP groups rules Rules	4	496	October 20, 2023
Domain name reputation Help	8	1225	January 27, 2022
Newbie question about whitelisting IPs for a single rule Rules	4	885	December 19, 2022

Suricata IP Reputation / Blacklisting

Related Topics