Using IPinfo's IP to Country ASN database in Kaspersky Suricata Rules

Kaspersky Suricata Rules support IP reputation based firewall system

To enable IP reputation component:

  • Uncomment the lines associated with IP reputation in the suricata.yaml file.
  • Add metadata categories for the blacklists IPs in the categories.txt file.
  • Then you have the reputation.list file that contains the IP addresses

Creating the IP categories

The categories.txt file is structured as a CSV file with the following columns:

  • ID
  • Name
  • Description

In the categories.txt file, you can add categories of IP addresses from IPinfo’s database products. It can be:

- IP geolocation database
- IP to Privacy Detection (VPN, TOR, bot) database
- IP to Company database etc.

But for this post, we will use the free IP to Country ASN database. We will create our filter based on ASN data and Country data.

I have randomly chosen some organizations and countries for this demonstration.

categories.txt

1,digital_ocean,Digital Ocean IPs
2,Malta,IP addresses from Malta
3,OVH,OVH cloud IPs
4,Nepal,IP addresses from Nepal

Extracting the IPs and adding reputation scores

The reputation.list file contain the IP addresses in a CSV format with the following columns:

  • IP address ranges
  • Category ID
  • Reputation score (Between 1-127)

For the reputation scores:

Category ID Reputation Score
Digital Ocean 1 120
Malta 2 54
OVH 3 12
Nepal 4 87

Running SQL queries on the IP to Country ASN Database

You can use DBMS, bash solution, programming language or any solution you want for this operation. You can use our CLI to convert the IP address ranges to their CIDR equivalent.

I am using our Snowflake listing for IP to Country ASN database here. The query might look complicated but it is actually not.

SELECT
  flat_data.value as IP_RANGE,
  '1' as "ID",
  '120' as "Reputation_Score"
  FROM (
    SELECT public.range_to_cidr(start_ip, end_ip) as ip_range
        FROM public.country_asn
        WHERE as_domain='digitalocean.com'
    ) do_ips,
TABLE(FLATTEN(do_ips.ip_range)) flat_data
UNION ALL
SELECT
  flat_data.value as IP_RANGE,
  '2' as "ID",
  '54' as "Reputation_Score"
  FROM (
    SELECT public.range_to_cidr(start_ip, end_ip) as ip_range
        FROM public.country_asn
        WHERE country='MT'
    ) malta_ips,
TABLE(FLATTEN(malta_ips.ip_range)) flat_data
UNION ALL
SELECT
  flat_data.value as IP_RANGE,
  '3' as "ID",
  '12' as "Reputation_Score"
  FROM (
    SELECT public.range_to_cidr(start_ip, end_ip) as ip_range
        FROM public.country_asn
        WHERE as_domain='ovhcloud.com'
    ) ovh_ips,
TABLE(FLATTEN(ovh_ips.ip_range)) flat_data
UNION ALL
SELECT
  flat_data.value as IP_RANGE,
  '4' as "ID",
  '87' as "Reputation_Score"
  FROM (
    SELECT public.range_to_cidr(start_ip, end_ip) as ip_range
        FROM public.country_asn
        WHERE country='NP'
    ) nepal_ips,
TABLE(FLATTEN(nepal_ips.ip_range)) flat_data

Creating the queries

  • If you are filtering by country, use the country code. E.g.: WHERE country='NP'
  • If you want to block the IPs of a particular AS organization, use their domain. E.g,: WHERE as_domain='ovhcloud.com'
  • Then you can run UNION ALL to combine all these queries into one query.

Result

image

Download the CSV file, and add the data to the reputation.list file.


If you have any question feel free to let us know.

1 Like

I USE FIRST ONE FOR VPN HOME PROTECTION BUT SECOND ONE IS MORE EXTENDED AND MORE BULSHIT SPYWARE, MALWARE, MASSCANNERS,… SERVER LIST:

https://perc.ddns.net/iplist-pcsnet.txt
IP LIST MALWARE NETWORK, SPYWARE, BULSHIT SCANNERS, WEPAPPS ATTACKERS,…

https://piramide.zapto.org/iplist-pcsnet.txt
CUMULATIVE LIST ALL OF UP PUBLISHED AUTO UPDATE ICH DAY 24/7/365

1 Like

That is an excellent IP list. Thank you for sharing. Suricata rules supports both IP ranges and individual IP addresses. Users can easily ingest these IPs into their IP reputation file.

1 Like