From 8b42182fee1a3cd79e58063a86ebeb202e7e4bd6 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 6 Jun 2024 17:38:55 +0200 Subject: [PATCH] doc/userguide: document iprep isset/isnotset --- doc/userguide/rules/ip-reputation-rules.rst | 32 ++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/doc/userguide/rules/ip-reputation-rules.rst b/doc/userguide/rules/ip-reputation-rules.rst index 19ee033e1b08..dd520b4e3fea 100644 --- a/doc/userguide/rules/ip-reputation-rules.rst +++ b/doc/userguide/rules/ip-reputation-rules.rst @@ -29,7 +29,37 @@ Example: alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;) -This rule will alert when a system in $HOME_NET acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30. +This rule will alert when a system in ``$HOME_NET`` acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30. + +isset and isnotset +~~~~~~~~~~~~~~~~~~ + +``isset`` and ``isnotset`` can be used to test reputation "membership" + +:: + + iprep:,, + + +``side to check``: + +``category``: the category short name + +To test whether an IP is part of an iprep set at all, the ``isset`` can be used. It acts as a ``>=,0`` statement. + +.. container:: example-rule + + drop ip $HOME_NET any -> any any (:example-rule-options:`iprep:src,known-bad-hosts,isset;` sid:1;) + +In this example traffic to any IP with a score in ``known-bad-hosts`` would be blocked. + +``isnotset`` can be used to test if an IP is not a part of the set. + +.. container:: example-rule + + drop ip $HOME_NET any -> any any (:example-rule-options:`iprep:src,trusted-hosts,isnotset;` sid:1;) + +In this example traffic for a host w/o a trust score would be blocked. Compatibility with IP-only ~~~~~~~~~~~~~~~~~~~~~~~~~~