-
Notifications
You must be signed in to change notification settings - Fork 10
Filter Reputation
frikilax edited this page Sep 19, 2019
·
2 revisions
The Reputation filter matches tags requested for a specific IP with tags registered for this IP in reputation databases (such as Firehol or GeoIP)
0x72657075
- libmaxminddb, 1.3.1 or above
Example of darwin configuration for this filter :
{
"filter_1": {
"exec_path": "/path/to/darwin/build/darwin_reputation",
"config_file":"/path/to/filter.conf",
"output": "LOG",
"next_filter": "",
"nb_thread": 1,
"log_level": "DEBUG",
"cache_size": 0
}
}
- mmdb_database : the full path to the reputation file (in the MaxMindDB format)
Example :
{
"mmdb_database": "/var/db/darwin/firehol.mmdb"
}
[
["<IP>", "TAG1;TAG2"],
["<IP>", "TAG3"],
...
]
Here is an example of a body:
[
["10.0.0.3", "ATTACK;TOR"],
["192.168.1.42", "BITCOIN"],
...
]
Here the request checks IP 10.0.0.3 against the tags ATTACK and TOR, and the IP 192.168.1.42 against the tag BITCOIN (data for example only, IPs and TAGs are not guaranteed to be present in DBs)
The filter returns the certitude(s) for each entry of the request, and will generate a log line if configured correctly. The log line will have this format:
{"evt_id": "<uuid>", "time": "<ISO8061>", "filter": "reputation", "ip": "<IP>", "tags": ["<TAG1>", "<TAG2>", ...], "certitude": <certitude>}
default threshold