How I can use IP-reputation with snort alert logs?

hespinoza · ‎06-28-2013

hello:

thanks

hespinoza · ‎07-19-2013

EXTRACT-clientip = (?\d+.\d+.\d+.\d+)(?::\d+)* -> \d+.\d+.\d+.\d+(?::\d+)\s$

Matthias_BY · ‎07-10-2013

Hi,

you need to extract the source ip address into the "clientip" field. once done you can create lookups with

| lookup threatscore clientip | table clientip threatscore

you'll then have a table with all attacking ip's + the threat score enriched. In case you have a lot of logs - you might do this via summary reports to avoid that everytime you review your report it's loaded and the lookup is generating a lot of dns requests.

br
matthias

Ayn · ‎06-28-2013

Well how DO you want to use IP reputation with snort alert logs?

How I can use IP-reputation with snort alert logs?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>