[Oisf-devel] geoip keyword syntax

Peter Manev petermanev at gmail.com
Thu Oct 11 19:02:27 UTC 2012 

Hi,

I think i love that new geoip keyword - thank you for the efforts !

A couple of suggestions/requests if I may:

1.I agree/like the proposal - but I wonder if it would be possible to
include multiples(maybe up to a certain number [32 or something] ) of
countries - like:
alert http any any -> any any (msg:"GEOIP: IP located in
US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)

2. As there is - *src, dst, both* - i think it would be nice if there is
also "*any*" -
alert http any any -> any any (msg:"GEOIP: some traffic to/from the Cayman
Islands";* geoip:any,KY*; sid:3450005; rev:1;)
any - meaning either source or destination.

thanks a bunch!

On Thu, Oct 11, 2012 at 6:42 PM, Victor Julien <victor at inliniac.net> wrote:

> On 10/11/2012 06:16 PM, I. Sanchez wrote:
> > Hi,
> >
> > I am implementing support for IP address country geolocation in
> > Suricata, and I wanted to ask your opinion about the syntax to be used
> > for the geoip keyword options.
> >
> > https://redmine.openinfosecfoundation.org/issues/559
> >
> > The keyword options would be:
> >
> >   * Country code. ie: US
> >   * Match condition: match on source IP, match on destination IP, or
> >     match on both.
> >
> > What do you think would be the best syntax for this?
> >
> > Some possibilities:
> >
> >   * geoip:<src|dst|both>,<countrycode>;
> >       o alert http any any -> any any (msg:"GEOIP: IP located in
> >         US";*geoip:src,US*;sid:3450002;rev:1;)
> >   * geoip:<countrycode>,<src|dst|both>;
> >       o alert http any any -> any any (msg:"GEOIP: IP located in
> >         US";*geoip:US,src*;sid:3450002;rev:1;)
>
> Thanks for picking this up!
>
> Doesn't the geoip also allow for other types of data, such as city? I'm
> sure that if we have this in Suricata ppl will be interested in buying
> the more detailed databases as well.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121011/1abe3bb5/attachment-0002.html>

More information about the Oisf-devel mailing list