Categories file
~~~~~~~~~~~~~~~
-The categories file provides a mapping between a category number, short name and long description. It's a simple CSV file:
+The categories file provides a mapping between a category number, short name, and long description. It's a simple CSV file:
::
- <id>,<short name>,<discription>
+ <id>,<short name>,<description>
Example:
~~~~~~~~~~~~~~~
The reputation file lists a reputation score for hosts in the categories. It's a simple CSV file:
-> <ip>,<cat>,<score>
-The IP is an IPv4 address in the quad-dotted notation. The category is the number as defined in the categories file and the value is a number between 1 and 127. 0 means no data.
+::
+
+
+ <ip>,<category>,<reputation score>
+
+The IP is an IPv4 address in the quad-dotted notation. The category is the number as defined in the categories file. The reputation score is the confidence that this IP is in the specified category, represented by a number between 1 and 127 (0 means no data).
Example:
::
- iprep:<side to check>,<cat>,<operator>,<value>
+ iprep:<side to check>,<category>,<operator>,<reputation score>
side to check: <any|src|dst|both>
-cat: the category short name
+category: the category short name
operator: <, >, =
-value: 1-127
+reputation score: 1-127
Example:
alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)
+This rule will alert when a system in $HOME_NET performs a client request while communicating with any IP in the CnC category that has a reputation score set to greater than 30.
+
IP-only
~~~~~~~
projects / thirdparty / suricata.git / commitdiff
