Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata IP Reputation Configuration Help

    IDS/IPS
    4
    5
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PfenseNoob
      last edited by

      I had an older Intel Haswell I5 setup with 16gb of DDR3 and figured why not buid a Pfense box since the pc was just sitting there.

      Thanks to Lawrence Systems on youtube I was able to follow his pfense installation setup as well as his video on Suricata. I howeve run into an error when under IP Reputation Configuration and I go to check the box, and hit save the page returns an error "Assignment of a 'Categories File' is required when IP reputation is enabled."

      I see in the next table below theirs an Assign Category File and click +Add button but I still get the same error and I'm a bit confused.

      I'll post 2 pictures. The first picture is with IP Reputation box clicked with me hitting the save button and getting an error. The second picture will be when I click the +Add button.

      Thanks for the help in advance.

      Link of Lawrence Systems video where clicking the box gave me my error

      https://youtu.be/KRlbkG9Bh6I?t=882

      a36097aa-95f1-4f65-a28a-ee9a1ec7c40a-image.png ![alt text](image url)

      519e3f0d-2cb2-45b4-923c-02d7c1afeb04-image.png

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        This might help!
        Screen Shot 2020-01-24 at 11.02.28 AM.png

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • J
          JasonAU
          last edited by

          I'm also seeing this, I've had pfsense + Suricata running at home for a long time, however I wanted to play with the rep lists and also got a bit confused.

          As a test I installed a dev VM with Snort over Suricata & I found most of the menus to be the same with the exception of WAN IP rep was way easier to set up, I'm not sure if this is a bug for a feature difference.

          You can see in Snort I just enabled the ET Open rules, ran a sync and then the ruleset appears in the interface settings, I can't get Suricata to do the same

          3.JPG 2.JPG 1.JPG

          Brisbane Queensland Australia

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Suricata's IP reputation engine works nothing like Snort's. To use IP Reputation in Suricata you either need to manually build your own configuration files (it takes at least two) or subscribe to the very expensive IQRisk package from Proofpoint (formerly Emerging Threats).

            You can find configuration information for IP Reputation in Suricata here: https://suricata.readthedocs.io/en/latest/reputation/ipreputation/ip-reputation.html. The link is to version 5.0.1, but 4.1.x works the same way.

            The IP REP tab was originally put in place to support users with an IQRisk subscription from Emerging Threats.

            J 1 Reply Last reply Reply Quote 1
            • J
              JasonAU @bmeeks
              last edited by

              @bmeeks said in Suricata IP Reputation Configuration Help:

              he IP REP tab was originally put in place to s

              Thankyou good info

              Brisbane Queensland Australia

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.