We are already in 2014 for a few days and this is my first blog post for this year! So, let me wish you a wonderful 2014 for you and you family! Let’s start with a quick post about building IP addresses reputation list. This topic was discussed on a mailing list today: Where to find good sources for IP reputation services?
Indeed, IP addresses remain a very common IoC (“Indicator of Compromize“). They can help to identify C&C servers, spammers, compromized websites, etc. Most vendors propose such service with their product. They are of course paid services.
To build a simple IP reputation list, a quick win is to use a set of Snort rules like the one provided by emergingthreats.net. If they provide an IP reputation system called IQrisk, they also provide a feed of Snort rules that can be deployed in your ID(P)S instances. The content is excellent and the feed is proposed in two versions: one paying and one free. The second one is only a subset of the full version but it already contains a lot of interesting stuff. It contains a lot of interesting rules to build our reputation system. Example:
alert ip [220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206, \ 220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199] any -> $HOME_NET any (msg:"ET \ CINS Active Threat Intelligence Poor Reputation IP group 1"; reference:url, \ www.cinsscore.com; reference:url,www.networkcloaking.com/cins; threshold: type limit,\ track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:664;)
Once you subscribed to the open feed, it’s easy to extract the IP addresses from the *.rules files to build your reputation list and use it with other products like a SIEM. This can be easily performed with a few lines of Python:
# cd /data/suricata/etc/suricate/rules # /usr/local/bin/build_reputation_list.py >/tmp/ip.tmp # head -5 /tmp/ip.tmp 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
Once done, import the file into your favourite tool. The script is available in my toolbox on GitHub.