mirror of https://github.com/OISF/suricata
				
				
				
			
			You cannot select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
	
	
		
			46 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			ReStructuredText
		
	
			
		
		
	
	
			46 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			ReStructuredText
		
	
| IP Reputation Keyword
 | |
| =====================
 | |
| 
 | |
| IP Reputation can be used in rules through a new rule keyword "iprep".
 | |
| 
 | |
| For more information about IP Reputation see :doc:`/reputation/ipreputation/ip-reputation-config` and :doc:`/reputation/ipreputation/ip-reputation-format`.
 | |
| 
 | |
| iprep
 | |
| -----
 | |
| 
 | |
| The iprep directive matches on the IP reputation information for a host.
 | |
| 
 | |
| ::
 | |
| 
 | |
|   iprep:<side to check>,<category>,<operator>,<reputation score>
 | |
| 
 | |
| 
 | |
| side to check: <any|src|dst|both>
 | |
| 
 | |
| category: the category short name
 | |
| 
 | |
| operator: <, >, =
 | |
| 
 | |
| reputation score: 1-127
 | |
| 
 | |
| Example:
 | |
| 
 | |
| ::
 | |
| 
 | |
| 
 | |
|   alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)
 | |
| 
 | |
| This rule will alert when a system in $HOME_NET acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30.
 | |
| 
 | |
| IP-only
 | |
| ~~~~~~~
 | |
| 
 | |
| The "iprep" keyword is compatible to "IP-only" rules. This means that a rule like:
 | |
| 
 | |
| ::
 | |
| 
 | |
| 
 | |
|   alert ip any any -> any any (msg:"IPREP High Value CnC"; iprep:src,CnC,>,100; sid:1; rev:1;)
 | |
| 
 | |
| will only be checked once per flow-direction.
 |