Skip to content

Filter Reputation

Jump to bottom
frikilax edited this page Sep 19, 2019 · 2 revisions

Filter Reputation

Description

The Reputation filter matches tags requested for a specific IP with tags registered for this IP in reputation databases (such as Firehol or GeoIP)

Filter Code

0x72657075

Dependencies

  • libmaxminddb, 1.3.1 or above

Darwin configuration

Example of darwin configuration for this filter :

{
    "filter_1": {
        "exec_path": "/path/to/darwin/build/darwin_reputation",
        "config_file":"/path/to/filter.conf",
        "output": "LOG",
        "next_filter": "",
        "nb_thread": 1,
        "log_level": "DEBUG",
        "cache_size": 0
    }
}

Config file

  • mmdb_database : the full path to the reputation file (in the MaxMindDB format)

Example :

{
    "mmdb_database": "/var/db/darwin/firehol.mmdb"
}

Body

[
    ["<IP>", "TAG1;TAG2"],
    ["<IP>", "TAG3"],
    ...
]

Example

Here is an example of a body:

[
    ["10.0.0.3", "ATTACK;TOR"],
    ["192.168.1.42", "BITCOIN"],
    ...
]

Here the request checks IP 10.0.0.3 against the tags ATTACK and TOR, and the IP 192.168.1.42 against the tag BITCOIN (data for example only, IPs and TAGs are not guaranteed to be present in DBs)

Results

The filter returns the certitude(s) for each entry of the request, and will generate a log line if configured correctly. The log line will have this format:

{"evt_id": "<uuid>", "time": "<ISO8061>", "filter": "reputation", "ip": "<IP>", "tags": ["<TAG1>", "<TAG2>", ...], "certitude": <certitude>}

default threshold

Clone this wiki locally