[Oisf-devel] geoip keyword syntax

Thu Oct 11 20:07:48 UTC 2012

Good idea, I will implement multiple conditions(countries) in the same
rule. Let's use the <match-on><condition>+ syntax where match-on can be
src, dst, both or any.

alert http any any -> any any (msg:"GEOIP: IP located in
US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)

I can also support geoip:US; by assuming geoip:any,US; , for simplicity.

Regarding the city support, indeed the MaxMind DBs in their free versions
support cities in addition to countries although the accuracy drops from
99.5% (for countries) to 78% in US (for cities), and I guess much less
accuracy in other countries.

In the commercial DBs, they apparently support regions, organizations...
http://www.maxmind.com/en/geolocation_landing

For now I will just implement support for countries, but we should take
this into account for the keyword syntax. I see some options:

   - Autodetect city vs country. I could detect whether the condition is a
   known country code, and assume city otherwise. However this will not work
   for regions, organizations...
   - Allow -for future versions- the check type as an optional param of the
   <match-on> condition. ie: geoip:src,city,Madrid;

Regards,

On Thu, Oct 11, 2012 at 9:02 PM, Peter Manev <petermanev at gmail.com> wrote:

> Hi,
>
> I think i love that new geoip keyword - thank you for the efforts !
>
> A couple of suggestions/requests if I may:
>
> 1.I agree/like the proposal - but I wonder if it would be possible to
> include multiples(maybe up to a certain number [32 or something] ) of
> countries - like:
> alert http any any -> any any (msg:"GEOIP: IP located in
> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)
>
> 2. As there is - *src, dst, both* - i think it would be nice if there is
> also "*any*" -
> alert http any any -> any any (msg:"GEOIP: some traffic to/from the Cayman
> Islands";* geoip:any,KY*; sid:3450005; rev:1;)
> any - meaning either source or destination.
>
> thanks a bunch!
>
>
> On Thu, Oct 11, 2012 at 6:42 PM, Victor Julien <victor at inliniac.net>wrote:
>
>> On 10/11/2012 06:16 PM, I. Sanchez wrote:
>> > Hi,
>> >
>> > I am implementing support for IP address country geolocation in
>> > Suricata, and I wanted to ask your opinion about the syntax to be used
>> > for the geoip keyword options.
>> >
>> > https://redmine.openinfosecfoundation.org/issues/559
>> >
>> > The keyword options would be:
>> >
>> >   * Country code. ie: US
>> >   * Match condition: match on source IP, match on destination IP, or
>> >     match on both.
>> >
>> > What do you think would be the best syntax for this?
>> >
>> > Some possibilities:
>> >
>> >   * geoip:<src|dst|both>,<countrycode>;
>> >       o alert http any any -> any any (msg:"GEOIP: IP located in
>> >         US";*geoip:src,US*;sid:3450002;rev:1;)
>> >   * geoip:<countrycode>,<src|dst|both>;
>> >       o alert http any any -> any any (msg:"GEOIP: IP located in
>> >         US";*geoip:US,src*;sid:3450002;rev:1;)
>>
>> Thanks for picking this up!
>>
>> Doesn't the geoip also allow for other types of data, such as city? I'm
>> sure that if we have this in Suricata ppl will be interested in buying
>> the more detailed databases as well.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121011/d95b7fe6/attachment-0002.html>