Building IP Reputation Lists from Snort Rules

ReputationWe are already in 2014 for a few days and this is my first blog post for this year! So, let me wish you a wonderful 2014 for you and you family! Let’s start with a quick post about building IP addresses reputation list. This topic was discussed on a mailing list today: Where to find good sources for IP reputation services?

Indeed, IP addresses remain a very common IoC (“Indicator of Compromize“). They can help to identify C&C servers, spammers, compromized websites, etc. Most vendors propose such service with their product. They are of course paid services.

To build a simple IP reputation list, a quick win is to use a set of Snort rules like the one provided by If they provide an IP reputation system called IQrisk, they also provide a feed of Snort rules that can be deployed in your ID(P)S instances. The content is excellent and the feed is proposed in two versions: one paying and one free. The second one is only a subset of the full version but it already contains a lot of interesting stuff. It contains a lot of interesting rules to build our reputation system. Example:

alert ip [,,,,,, \,,,] any -> $HOME_NET any (msg:"ET \
CINS Active Threat Intelligence Poor Reputation IP group 1"; reference:url, \; reference:url,; threshold: type limit,\
track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:664;)

Once you subscribed to the open feed, it’s easy to extract the IP addresses from the *.rules files to build your reputation list and use it with other products like a SIEM. This can be easily performed with a few lines of Python:

# cd /data/suricata/etc/suricate/rules
# /usr/local/bin/ >/tmp/ip.tmp
# head -5 /tmp/ip.tmp

Once done, import the file into your favourite tool. The script is available in my toolbox on GitHub.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.