What is the proper way to handle large ip list in Suricata rules?

yiyiyongfu · August 13, 2021, 5:51pm

Hey Suricata ninjas,
I am thinking if I have a large list of ip addresses that I would like to take action on, what would be the best way to write the rules? I am assuming I would need to put the ip addresses into either source ip or destination ip which satisfy the use case. And I know there is a 8kb size limit per rule so the naive way would be to separate it into multiple different rules. But is there a better approach?

Thanks!

IDSTower · August 14, 2021, 9:45am

Dear,

For this use case the best approach is to use the IPRep feature.

It is quite simple to implement.

Topic		Replies	Views
Sid allocation for ruleset I wish to share Rules	10	1138	January 8, 2023
Suricata can't define IP options Rules rules , suricata	9	177	March 23, 2024
How can I write some rules in IPS not just reset http connections Rules ips , rules , suricata	1	471	February 28, 2022
Trusted IP's Where a put Help	1	600	October 24, 2020
Behavior of matching negated IPv4 source / destination Rules	0	295	September 23, 2020

What is the proper way to handle large ip list in Suricata rules?

Related Topics