We are already in 2014 for a few days and this is my first blog post for this year! So, let me wish you a wonderful 2014 for you and you family! Let’s start with a quick post about building IP addresses reputation list. This topic was discussed on a mailing list today: Where to find good sources for IP reputation services?
Indeed, IP addresses remain a very common IoC (“Indicator of Compromize“). They can help to identify C&C servers, spammers, compromized websites, etc. Most vendors propose such service with their product. They are of course paid services.
To build a simple IP reputation list, a quick win is to use a set of Snort rules like the one provided by emergingthreats.net. If they provide an IP reputation system called IQrisk, they also provide a feed of Snort rules that can be deployed in your ID(P)S instances. The content is excellent and the feed is proposed in two versions: one paying and one free. The second one is only a subset of the full version but it already contains a lot of interesting stuff. It contains a lot of interesting rules to build our reputation system. Example:
alert ip [2.229.117.159,4.35.96.216,5.135.146.0,5.254.101.69,5.254.101.72,23.235.233.216, \ 23.238.232.114,31.192.108.35,37.187.26.86,37.187.74.17] any -> $HOME_NET any (msg:"ET \ CINS Active Threat Intelligence Poor Reputation IP group 1"; reference:url, \ www.cinsscore.com; reference:url,www.networkcloaking.com/cins; threshold: type limit,\ track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:664;)
Once you subscribed to the open feed, it’s easy to extract the IP addresses from the *.rules files to build your reputation list and use it with other products like a SIEM. This can be easily performed with a few lines of Python:
# cd /data/suricata/etc/suricate/rules # /usr/local/bin/build_reputation_list.py >/tmp/ip.tmp # head -5 /tmp/ip.tmp 46.17.98.214 37.187.74.17 59.63.183.233 61.174.63.71 67.216.253.197
Once done, import the file into your favourite tool. The script is available in my toolbox on GitHub.
