Kaspersky Suricata Rules support IP reputation based firewall system
To enable IP reputation component:
- Uncomment the lines associated with IP reputation in the
suricata.yamlfile. - Add metadata categories for the blacklists IPs in the
categories.txtfile. - Then you have the
reputation.listfile that contains the IP addresses
Creating the IP categories
The categories.txt file is structured as a CSV file with the following columns:
- ID
- Name
- Description
In the categories.txt file, you can add categories of IP addresses from IPinfo’s database products. It can be:
- IP geolocation database
- IP to Privacy Detection (VPN, TOR, bot) database
- IP to Company database etc.
But for this post, we will use the free IP to Country ASN database. We will create our filter based on ASN data and Country data.
I have randomly chosen some organizations and countries for this demonstration.
categories.txt
1,digital_ocean,Digital Ocean IPs
2,Malta,IP addresses from Malta
3,OVH,OVH cloud IPs
4,Nepal,IP addresses from Nepal
Extracting the IPs and adding reputation scores
The reputation.list file contain the IP addresses in a CSV format with the following columns:
- IP address ranges
- Category ID
- Reputation score (Between 1-127)
For the reputation scores:
| Category | ID | Reputation Score |
|---|---|---|
| Digital Ocean | 1 | 120 |
| Malta | 2 | 54 |
| OVH | 3 | 12 |
| Nepal | 4 | 87 |
Running SQL queries on the IP to Country ASN Database
You can use DBMS, bash solution, programming language or any solution you want for this operation. You can use our CLI to convert the IP address ranges to their CIDR equivalent.
I am using our Snowflake listing for IP to Country ASN database here. The query might look complicated but it is actually not.
SELECT
flat_data.value as IP_RANGE,
'1' as "ID",
'120' as "Reputation_Score"
FROM (
SELECT public.range2cidr(start_ip, end_ip) as ip_range
FROM public.country_asn
WHERE as_domain='digitalocean.com'
) do_ips,
TABLE(FLATTEN(do_ips.ip_range)) flat_data
UNION ALL
SELECT
flat_data.value as IP_RANGE,
'2' as "ID",
'54' as "Reputation_Score"
FROM (
SELECT public.range2cidr(start_ip, end_ip) as ip_range
FROM public.country_asn
WHERE country='MT'
) malta_ips,
TABLE(FLATTEN(malta_ips.ip_range)) flat_data
UNION ALL
SELECT
flat_data.value as IP_RANGE,
'3' as "ID",
'12' as "Reputation_Score"
FROM (
SELECT public.range2cidr(start_ip, end_ip) as ip_range
FROM public.country_asn
WHERE as_domain='ovhcloud.com'
) ovh_ips,
TABLE(FLATTEN(ovh_ips.ip_range)) flat_data
UNION ALL
SELECT
flat_data.value as IP_RANGE,
'4' as "ID",
'87' as "Reputation_Score"
FROM (
SELECT public.range2cidr(start_ip, end_ip) as ip_range
FROM public.country_asn
WHERE country='NP'
) nepal_ips,
TABLE(FLATTEN(nepal_ips.ip_range)) flat_data
Creating the queries
- If you are filtering by country, use the country code. E.g.:
WHERE country='NP' - If you want to block the IPs of a particular AS organization, use their domain. E.g,:
WHERE as_domain='ovhcloud.com' - Then you can run
UNION ALLto combine all these queries into one query.
Result
Download the CSV file, and add the data to the reputation.list file.
If you have any question feel free to let us know.