[Oisf-devel] geoip keyword syntax
Victor Julien
victor at inliniac.net
Thu Oct 11 16:42:58 UTC 2012
On 10/11/2012 06:16 PM, I. Sanchez wrote:
> Hi,
>
> I am implementing support for IP address country geolocation in
> Suricata, and I wanted to ask your opinion about the syntax to be used
> for the geoip keyword options.
>
> https://redmine.openinfosecfoundation.org/issues/559
>
> The keyword options would be:
>
> * Country code. ie: US
> * Match condition: match on source IP, match on destination IP, or
> match on both.
>
> What do you think would be the best syntax for this?
>
> Some possibilities:
>
> * geoip:<src|dst|both>,<countrycode>;
> o alert http any any -> any any (msg:"GEOIP: IP located in
> US";*geoip:src,US*;sid:3450002;rev:1;)
> * geoip:<countrycode>,<src|dst|both>;
> o alert http any any -> any any (msg:"GEOIP: IP located in
> US";*geoip:US,src*;sid:3450002;rev:1;)
Thanks for picking this up!
Doesn't the geoip also allow for other types of data, such as city? I'm
sure that if we have this in Suricata ppl will be interested in buying
the more detailed databases as well.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list