blob: f0b5f18d4f8615bd8795d1a8195ac923827b7eb5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
IP Reputation Keyword
=====================
IP Reputation can be used in rules through a new rule keyword "iprep".
For more information about IP Reputation see :doc:`/reputation/ipreputation/ip-reputation-config` and :doc:`/reputation/ipreputation/ip-reputation-format`.
iprep
-----
The iprep directive matches on the IP reputation information for a host.
::
iprep:<side to check>,<category>,<operator>,<reputation score>
side to check: <any|src|dst|both>
category: the category short name
operator: <, >, =
reputation score: 1-127
Example:
::
alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)
This rule will alert when a system in $HOME_NET acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30.
IP-only
~~~~~~~
The "iprep" keyword is compatible to "IP-only" rules. This means that a rule like:
::
alert ip any any -> any any (msg:"IPREP High Value CnC"; iprep:src,CnC,>,100; sid:1; rev:1;)
will only be checked once per flow-direction.
|
