[Oisf-devel] geoip keyword syntax

I. Sanchez sanchezmartin.ji at gmail.com
Fri Oct 12 09:35:17 UTC 2012 

Yes, I forgot to mention it. Negation will be supported.

On Fri, Oct 12, 2012 at 10:03 AM, Peter Manev <petermanev at gmail.com> wrote:

> Excellent - thank you.
> comments bellow ...
>
> On Thu, Oct 11, 2012 at 10:07 PM, I. Sanchez <sanchezmartin.ji at gmail.com>wrote:
>
>> Good idea, I will implement multiple conditions(countries) in the same
>> rule. Let's use the <match-on><condition>+ syntax where match-on can be
>> src, dst, both or any.
>>
>>
>> alert http any any -> any any (msg:"GEOIP: IP located in
>> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)
>>
>> I can also support geoip:US; by assuming geoip:any,US; , for simplicity.
>>
>
> I agree with the assumption here - i think it is good to assume so.
> I was thinking further on the matter and I am not sure if i am starting to
> sound annoying - but wouldn't it be nice if we can also negate geoip? :
> alert http any any -> any any (msg:"GEOIP: IP destination  *NOT* located
> in US/Canada";* *geoip:*dst,!*US,CA; sid:3450002; rev:1;)
>
>
>
>> Regarding the city support, indeed the MaxMind DBs in their free versions
>> support cities in addition to countries although the accuracy drops from
>> 99.5% (for countries) to 78% in US (for cities), and I guess much less
>> accuracy in other countries.
>>
>> In the commercial DBs, they apparently support regions, organizations...
>> http://www.maxmind.com/en/geolocation_landing
>>
>> For now I will just implement support for countries, but we should take
>> this into account for the keyword syntax. I see some options:
>>
>>    - Autodetect city vs country. I could detect whether the condition is
>>    a known country code, and assume city otherwise. However this will not work
>>    for regions, organizations...
>>    - Allow -for future versions- the check type as an optional param of
>>    the <match-on> condition. ie: geoip:src,city,Madrid;
>>
>>
> this would be awesome in my opinion.
>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>> On Thu, Oct 11, 2012 at 9:02 PM, Peter Manev <petermanev at gmail.com>wrote:
>>
>>> Hi,
>>>
>>> I think i love that new geoip keyword - thank you for the efforts !
>>>
>>> A couple of suggestions/requests if I may:
>>>
>>> 1.I agree/like the proposal - but I wonder if it would be possible to
>>> include multiples(maybe up to a certain number [32 or something] ) of
>>> countries - like:
>>> alert http any any -> any any (msg:"GEOIP: IP located in
>>> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002; rev:1;)
>>>
>>> 2. As there is - *src, dst, both* - i think it would be nice if there
>>> is also "*any*" -
>>> alert http any any -> any any (msg:"GEOIP: some traffic to/from the
>>> Cayman Islands";* geoip:any,KY*; sid:3450005; rev:1;)
>>> any - meaning either source or destination.
>>>
>>> thanks a bunch!
>>>
>>>
>>> On Thu, Oct 11, 2012 at 6:42 PM, Victor Julien <victor at inliniac.net>wrote:
>>>
>>>> On 10/11/2012 06:16 PM, I. Sanchez wrote:
>>>> > Hi,
>>>> >
>>>> > I am implementing support for IP address country geolocation in
>>>> > Suricata, and I wanted to ask your opinion about the syntax to be used
>>>> > for the geoip keyword options.
>>>> >
>>>> > https://redmine.openinfosecfoundation.org/issues/559
>>>> >
>>>> > The keyword options would be:
>>>> >
>>>> >   * Country code. ie: US
>>>> >   * Match condition: match on source IP, match on destination IP, or
>>>> >     match on both.
>>>> >
>>>> > What do you think would be the best syntax for this?
>>>> >
>>>> > Some possibilities:
>>>> >
>>>> >   * geoip:<src|dst|both>,<countrycode>;
>>>> >       o alert http any any -> any any (msg:"GEOIP: IP located in
>>>> >         US";*geoip:src,US*;sid:3450002;rev:1;)
>>>> >   * geoip:<countrycode>,<src|dst|both>;
>>>> >       o alert http any any -> any any (msg:"GEOIP: IP located in
>>>> >         US";*geoip:US,src*;sid:3450002;rev:1;)
>>>>
>>>> Thanks for picking this up!
>>>>
>>>> Doesn't the geoip also allow for other types of data, such as city? I'm
>>>> sure that if we have this in Suricata ppl will be interested in buying
>>>> the more detailed databases as well.
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Oisf-devel mailing list
>>>> Oisf-devel at openinfosecfoundation.org
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121012/79b87a01/attachment-0002.html>

More information about the Oisf-devel mailing list