[Oisf-devel] geoip keyword syntax

Peter Manev petermanev at gmail.com
Fri Oct 12 09:03:29 UTC 2012 

Excellent - thank you.
comments bellow ...

On Thu, Oct 11, 2012 at 10:07 PM, I. Sanchez <sanchezmartin.ji at gmail.com>wrote:

> Good idea, I will implement multiple conditions(countries) in the same
> rule. Let's use the <match-on><condition>+ syntax where match-on can be
> src, dst, both or any.
>
>
> alert http any any -> any any (msg:"GEOIP: IP located in
> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)
>
> I can also support geoip:US; by assuming geoip:any,US; , for simplicity.
>

I agree with the assumption here - i think it is good to assume so.
I was thinking further on the matter and I am not sure if i am starting to
sound annoying - but wouldn't it be nice if we can also negate geoip? :
alert http any any -> any any (msg:"GEOIP: IP destination  *NOT* located in
US/Canada";* *geoip:*dst,!*US,CA; sid:3450002; rev:1;)



> Regarding the city support, indeed the MaxMind DBs in their free versions
> support cities in addition to countries although the accuracy drops from
> 99.5% (for countries) to 78% in US (for cities), and I guess much less
> accuracy in other countries.
>
> In the commercial DBs, they apparently support regions, organizations...
> http://www.maxmind.com/en/geolocation_landing
>
> For now I will just implement support for countries, but we should take
> this into account for the keyword syntax. I see some options:
>
>    - Autodetect city vs country. I could detect whether the condition is
>    a known country code, and assume city otherwise. However this will not work
>    for regions, organizations...
>    - Allow -for future versions- the check type as an optional param of
>    the <match-on> condition. ie: geoip:src,city,Madrid;
>
>
this would be awesome in my opinion.

>
>
> Regards,
>
>
>
>
>
> On Thu, Oct 11, 2012 at 9:02 PM, Peter Manev <petermanev at gmail.com> wrote:
>
>> Hi,
>>
>> I think i love that new geoip keyword - thank you for the efforts !
>>
>> A couple of suggestions/requests if I may:
>>
>> 1.I agree/like the proposal - but I wonder if it would be possible to
>> include multiples(maybe up to a certain number [32 or something] ) of
>> countries - like:
>> alert http any any -> any any (msg:"GEOIP: IP located in
>> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)
>>
>> 2. As there is - *src, dst, both* - i think it would be nice if there is
>> also "*any*" -
>> alert http any any -> any any (msg:"GEOIP: some traffic to/from the
>> Cayman Islands";* geoip:any,KY*; sid:3450005; rev:1;)
>> any - meaning either source or destination.
>>
>> thanks a bunch!
>>
>>
>> On Thu, Oct 11, 2012 at 6:42 PM, Victor Julien <victor at inliniac.net>wrote:
>>
>>> On 10/11/2012 06:16 PM, I. Sanchez wrote:
>>> > Hi,
>>> >
>>> > I am implementing support for IP address country geolocation in
>>> > Suricata, and I wanted to ask your opinion about the syntax to be used
>>> > for the geoip keyword options.
>>> >
>>> > https://redmine.openinfosecfoundation.org/issues/559
>>> >
>>> > The keyword options would be:
>>> >
>>> >   * Country code. ie: US
>>> >   * Match condition: match on source IP, match on destination IP, or
>>> >     match on both.
>>> >
>>> > What do you think would be the best syntax for this?
>>> >
>>> > Some possibilities:
>>> >
>>> >   * geoip:<src|dst|both>,<countrycode>;
>>> >       o alert http any any -> any any (msg:"GEOIP: IP located in
>>> >         US";*geoip:src,US*;sid:3450002;rev:1;)
>>> >   * geoip:<countrycode>,<src|dst|both>;
>>> >       o alert http any any -> any any (msg:"GEOIP: IP located in
>>> >         US";*geoip:US,src*;sid:3450002;rev:1;)
>>>
>>> Thanks for picking this up!
>>>
>>> Doesn't the geoip also allow for other types of data, such as city? I'm
>>> sure that if we have this in Suricata ppl will be interested in buying
>>> the more detailed databases as well.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121012/365aec51/attachment-0002.html>

More information about the Oisf-devel mailing list