Bug in emerging-ciarmy.rules?

Feedback & Support
1

I downloaded the latest ruleset and I’m comparing it with the master list https://cinsscore.com/list/ci-badguys.txt.

The master list contains 15,000 addresses (they say they capped the list to 15,000),

But what’s weird is that the emerging-ciarmy.rules file appears to have 2500 in numerical order.

It starts at 1.15.135.58 and ends at 68.183.122.101. There are no addresses with a first octet greater than 68.

Of the 15,000 on cinsscore.com, the list starts with 1.1.176.58 and ends with 223.95.199.204

Am I missing some files?

$  grep -oE '[^0-9]([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})[^0-9]' ./rules/emerging-ciarmy.rules | sed 's/[^0-9.]//g' | sort -nk 1,1 | uniq | wc -l

2500

$  grep -oE '[^0-9]([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})[^0-9]' ./rules/emerging-ciarmy.rules | sed 's/[^0-9.]//g' | sort -nk 1,1 | uniq | head -1

1.15.135.58

$  grep -oE '[^0-9]([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})[^0-9]' ./rules/emerging-ciarmy.rules | sed 's/[^0-9.]//g' | sort -nk 1,1 | uniq | tail -1

68.183.122.101

edit:

I’m using Snort 2.9 (don’t ask why), but this also seems to be the case for Suricata 7.0.3

2

indeed! we ran into a hard-stop in the SID ranges we use for CIArmy sigs and we’re investigating. Thanks!

1 Like
3

Thanks for bringing this to our attention! We needed to extend the SID range for these CIArmy signatures. The full list (minus a small number of IPs that we exclude) will be available with today’s release.

One note: if you try the same piped-grep command as you shared in the initial post, you may still see a smaller number than you expect. There is a slight issue with your regex, specifically the anchoring [^0-9] on either side of the section that captures an IPv4-style IP address. Those [^0-9] chars are part of the match (since grep doesn’t support lookarounds with -E), so they get consumed.

In a list like:

[1.2.3.4,5.6.7.8,9.9.9.9]

  • The first match consumes the comma after 1.2.3.4.

  • The next match needs a non-digit before 5.6.7.8, but the only separator was already consumed by the previous match.

  • Result: it skips every other IP → roughly half the count.

Something like this: grep -oP '(?<!\d)[0-9]{1,3}(?:\.[0-9]{1,3}){3}(?!\d)' gave a more accurate count for me.

1 Like
4

Thanks so much for fixing the feed and fixing my grep, it’s very helpful.

I look forward to the updated signatures. Thank you!

1 Like
5

Thanks for the report @mgjk and great work @pschroeder !