[Oisf-devel] geoip keyword syntax
I. Sanchez
sanchezmartin.ji at gmail.com
Thu Oct 11 16:16:01 UTC 2012
Hi,
I am implementing support for IP address country geolocation in Suricata,
and I wanted to ask your opinion about the syntax to be used for the geoip
keyword options.
https://redmine.openinfosecfoundation.org/issues/559
The keyword options would be:
- Country code. ie: US
- Match condition: match on source IP, match on destination IP, or match
on both.
What do you think would be the best syntax for this?
Some possibilities:
- geoip:<src|dst|both>,<countrycode>;
- alert http any any -> any any (msg:"GEOIP: IP located in US";*
geoip:src,US*;sid:3450002;rev:1;)
- geoip:<countrycode>,<src|dst|both>;
- alert http any any -> any any (msg:"GEOIP: IP located in US";*
geoip:US,src*;sid:3450002;rev:1;)
Regards,
I. Sanchez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121011/d2ee72c8/attachment.html>
More information about the Oisf-devel
mailing list