hello:
How I can use IP-reputation with snort alert logs?
thanks
EXTRACT-clientip = (?
Hi,
you need to extract the source ip address into the "clientip" field. once done you can create lookups with
| lookup threatscore clientip | table clientip threatscore
you'll then have a table with all attacking ip's + the threat score enriched. In case you have a lot of logs - you might do this via summary reports to avoid that everytime you review your report it's loaded and the lookup is generating a lot of dns requests.
br
matthias
Well how DO you want to use IP reputation with snort alert logs?