Building IP Reputation Lists from Snort Rules

ReputationWe are already in 2014 for a few days and this is my first blog post for this year! So, let me wish you a wonderful 2014 for you and you family! Let’s start with a quick post about building IP addresses reputation list. This topic was discussed on a mailing list today: Where to find good sources for IP reputation services?

Indeed, IP addresses remain a very common IoC (“Indicator of Compromize“). They can help to identify C&C servers, spammers, compromized websites, etc. Most vendors propose such service with their product. They are of course paid services.

To build a simple IP reputation list, a quick win is to use a set of Snort rules like the one provided by emergingthreats.net. If they provide an IP reputation system called IQrisk, they also provide a feed of Snort rules that can be deployed in your ID(P)S instances. The content is excellent and the feed is proposed in two versions: one paying and one free. The second one is only a subset of the full version but it already contains a lot of interesting stuff. It contains a lot of interesting rules to build our reputation system. Example:

alert ip [2.229.117.159,4.35.96.216,5.135.146.0,5.254.101.69,5.254.101.72,23.235.233.216, \
23.238.232.114,31.192.108.35,37.187.26.86,37.187.74.17] any -> $HOME_NET any (msg:"ET \
CINS Active Threat Intelligence Poor Reputation IP group 1"; reference:url, \
www.cinsscore.com; reference:url,www.networkcloaking.com/cins; threshold: type limit,\
track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:664;)

Once you subscribed to the open feed, it’s easy to extract the IP addresses from the *.rules files to build your reputation list and use it with other products like a SIEM. This can be easily performed with a few lines of Python:

# cd /data/suricata/etc/suricate/rules
# /usr/local/bin/build_reputation_list.py >/tmp/ip.tmp
# head -5 /tmp/ip.tmp
46.17.98.214
37.187.74.17
59.63.183.233
61.174.63.71
67.216.253.197

Once done, import the file into your favourite tool. The script is available in my toolbox on GitHub.

5 comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.