How efficient is Suricata for blocking IP's?

nickh · 18 March 2024 14:07

Hi have come from a distro with Snort rather than Suricata and Snort generally places a high single core load on a processor. Suricata, I believe, is multi-core.

In the Emerging Threats databases there are a whole bunch of what are just IP blocks - 3coresec, drop, botcc.portgrouped, botcc, ciarmy, compromised, dshield and tor.

Because of the load Snort caused, I parsed all the above files and created ipset lists for them and blocked them directly in the firewall. It saves Snort from having to detect if there was any traffic to or from the IP’s then adding a single IP blocking rule. With the ipset sets, all the IPs were permanently blocked.

Would it help if I did the same here, to relieve the load from Suricata?

bonnietwin · 18 March 2024 14:28

Quite a lot of those IP Block Lists from the Emerging Threats suricata rulesets are covered by the IP Address Blocklists function such as dshield, ciarmy, emerging compromised

So you would be better off selecting them via the IP Blocklists rather than in the IPS.

The IP Address Blocklists has the Spamhaus drop list but this is covered by the Drop packets from and to hostile networks option in the firewall options section.

The release of Core Update 170 gave some description about the three different IP Blocking methods that exist in IPFire.
https://www.ipfire.org/blog/ipfire-2-27-core-update-170-released

nickh · 18 March 2024 15:40

Thanks. That saves me a lot of effort trying to learn the inner working of IPFire!

nickh · 18 March 2024 15:59

BTW, it looks like the link to ALIENVAULT in the IP Address Blocklists screen 404’s.

bonnietwin · 18 March 2024 16:57

I confirm that. Alienvault was taken over by AT&T Security around 6 years ago and it looks like all old alienvault web pages have been progressively removed and replaced by AT&T pages on their own products which have to be paid for.

The link for the reputation.generic file that is used for the IP Blocklist is still available.
Searching on the AT&T Security site for reputation.generic gets you to a webpage on the alienvault OTX product.

I also found a posting from 4 years ago in the AT&T Security support area about some false positives in the reputation.generic file that were being used to feed into a blacklist and the response was

The root issue may be in expectations here. The OTX reputation list is not a blocklist. It is a reputation history for any domain or IP address in the database, including several information vectors collected from a number of sources, which is used to create a risk score for a particular address or domain. You can find an explanation of this in the following article, or in the OTX services documentation

https://success.alienvault.com/s/article/Can-I-use-the-OTX-IP-Reputation-List-as-a-blocklist

given that the reputation list contains both current and previous activity, as well as other data, using the list as a strict blocklist is well outside the intended use of the service.

So this makes it sound like the list is not really appropriate for the IPFire IP Blocklist.

nickh · 18 March 2024 17:10

Fortunately, I didn’t enable it as I didn’t know what it was and the link 404’d… Thanks for researching it.

peppetech · 19 March 2024 00:35

You could replace the old “Info” with this link

https://success.alienvault.com/s/topic/0TO0Z000000oRS1WAM/open-threat-exchange-otx

The “original” Info link is

https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation

What an interesting list format, includes GPS coordinates ??

###
# Alienvault IP Reputation Database
# https://reputation.alienvault.com/
###

# Generic format

49.143.32.6 # Malicious Host KR,,37.5111999512,126.974098206
222.77.181.28 # Malicious Host CN,,24.4797992706,118.08190155
180.151.24.60 # Malicious Host IN,Gurgaon,28.4666996002,77.0333023071
157.61.212.1 # Malicious Host CN,Guangzhou,23.1166992188,113.25
70.50.152.130 # Malicious Host CA,Brossard,45.4673995972,-73.4832000732
193.169.252.158 # Malicious Host PL,,52.2393989563,21.0361995697
100.27.42.242 # Malicious Host US,Ashburn,39.0480995178,-77.4728012085
100.27.42.243 # Malicious Host US,Ashburn,39.0480995178,-77.4728012085
100.27.42.244 # Malicious Host US,Ashburn,39.0480995178,-77.4728012085
100.27.42.241 # Malicious Host US,Ashburn,39.0480995178,-77.4728012085

peppetech · 19 March 2024 00:45

I am looking at the log summaries and IPB system log files, and I don’t see any updates being logged for the last 3 months , and never shows that list was updated just says,

ipblocklist: Skipping ALIENVAULT blocklist - It has not been modified!

maybe time to retire this list ??

bonnietwin · 19 March 2024 08:36

Did you start using the alienvault list 3 months ago or was it enabled for longer.

If longer ago can you check back through the logs to see if it has always not been modified.

Unfortunately the file itself has no date/time info and I don’t know of any way to identify when the file was last updated on the website.

It would be good to know if it stopped being updated 3 months ago or hasn’t been updated for some years.

peppetech · 19 March 2024 17:46

I started to use it right away, more than 3 months ago, I assume my IPF only saves logs for 3 months?

bonnietwin · 19 March 2024 18:46

IPFire keeps 52 weeks worth of logs but if you did a re-install and your backup was without logs then you would start fresh.

You can check by seeing what number the archived messages files go to.

peppetech · 19 March 2024 19:42

I see > messages.52.gz

BTW I don’t see any updates to the Alienvault list, but I will keep an eye on and start comparing the actual file,

Do you know where IP Fire stores the Blocklist

No one even answered a question about the list for 7 years

bonnietwin · 19 March 2024 20:07

I am also coming to the view that the alienvault list is not an active one and maybe hasn’t been for quite a long time.

peppetech · 19 March 2024 21:02

I think I should split this topic into Alienvault specific, but I will wait for your reply

So I am looking for the actual local version of the Alienvault file

When you look inside
/var/lib/ipblocklist/

you will see ‘ALIENVAULT.conf’ dated 2022-11-03

That looks like the last version

#Autogenerated file. Any custom changes will be overwritten!


create ALIENVAULTv4 hash:net family inet hashsize 1024 maxelem 1218 -exist
flush ALIENVAULTv4
add ALIENVAULTv4 49.143.32.6
add ALIENVAULTv4 222.77.181.28
add ALIENVAULTv4 180.151.24.60
add ALIENVAULTv4 157.61.212.1
add ALIENVAULTv4 70.50.152.130
add ALIENVAULTv4 193.169.252.158
add ALIENVAULTv4 100.27.42.242
add ALIENVAULTv4 100.27.42.243
add ALIENVAULTv4 100.27.42.244
add ALIENVAULTv4 100.27.42.241
add ALIENVAULTv4 156.251.136.4
add ALIENVAULTv4 103.231.172.42
add ALIENVAULTv4 185.128.41.50
add ALIENVAULTv4 45.146.164.110
add ALIENVAULTv4 4.71.37.45
add ALIENVAULTv4 4.71.37.46
add ALIENVAULTv4 210.13.110.60
add ALIENVAULTv4 103.40.172.173
add ALIENVAULTv4 203.248.175.71
add ALIENVAULTv4 203.248.175.72
add ALIENVAULTv4 216.4.95.61
add ALIENVAULTv4 140.206.86.124
add ALIENVAULTv4 216.4.95.62
add ALIENVAULTv4 103.40.172.189
add ALIENVAULTv4 202.129.58.130
add ALIENVAULTv4 46.4.123.15
add ALIENVAULTv4 59.63.207.69
add ALIENVAULTv4 80.14.216.204

bonnietwin · 21 March 2024 12:19

Sorry for the slow response.

I have checked the code and the .conf files are the places where the ipblocklists are stored in.

If you had a blocklist enabled but then disabled it then a .conf file will stay there with the status as when it was last updated.

If your ALIENVAULT.conf file is showing 2022-11-03 then either that is when it was last updated or when you first started using it, if the list is not being updated.
I am presuming that you still have the ALIENVAULT list enabled.

If so then the list is at least 16 months since it was last updated but could be even older if 2022-11-03 is when you first enabled that list.

I have compared your list dated 2022-11-03 to the current version that is downloaded and those initial lines you showed are identical.

I think this list should be removed from the IP Address Blocklists.