[Oisf-devel] geoip keyword syntax
I. Sanchez
sanchezmartin.ji at gmail.com
Sun Oct 14 10:38:51 UTC 2012
IPv4 for now.
I see that IPv6 is supported by libgeoip, so it should be straightforward
to implement.
On Sun, Oct 14, 2012 at 11:45 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
> I was wondering if the geoip word is IPv4 only? or it supports both IPv6
> and v4 ?
>
> thanks
>
>
> On Sun, Oct 14, 2012 at 1:25 AM, I. Sanchez <sanchezmartin.ji at gmail.com>wrote:
>
>> It is fixed now. It was a silly issue with one "if" (plus a few other
>> minor issues in the option string parser).
>>
>> Now everything seems to be working ok.
>>
>> The match function looks like this now:
>>
>> static int DetectGeoipMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
>>
>> Packet *p, Signature *s, SigMatch *m)
>>
>> {
>> DetectGeoipData *geoipdata = (DetectGeoipData *)m->ctx;
>>
>> int match = 0;
>> int matches = 0;
>>
>> if (PKT_IS_IPV4(p))
>> {
>> if (geoipdata->flags & GEOIP_MATCH_SRC_FLAG || geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>>
>> {
>> /* if there is a flow get SRC IP of the flow, not packet */
>>
>> if (p->flowflags & FLOW_PKT_TOCLIENT)
>> /* the dst (from server to client) is our src */
>> match = CheckGeoMatchIPv4(geoipdata, GET_IPV4_DST_ADDR_U32(p));
>>
>> else
>> match = CheckGeoMatchIPv4(geoipdata, GET_IPV4_SRC_ADDR_U32(p));
>>
>> if (match)
>> {
>>
>> if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>> matches++;
>> else
>> return 1;
>> }
>>
>> }
>> if (geoipdata->flags & GEOIP_MATCH_DST_FLAG || geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>>
>> {
>> /* if there is a flow get DST IP of the flow, not packet */
>>
>> if (p->flowflags & FLOW_PKT_TOCLIENT)
>> /* the src (from server to client) is our dst */
>> match = CheckGeoMatchIPv4(geoipdata, GET_IPV4_SRC_ADDR_U32(p));
>>
>> else
>> match = CheckGeoMatchIPv4(geoipdata, GET_IPV4_DST_ADDR_U32(p));
>>
>> if (match)
>> {
>>
>> if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>> matches++;
>> else
>> return 1;
>> }
>>
>> }
>> /* if matches == 2 is because match-on is "both" */
>> if (matches == 2)
>>
>> return 1;
>> }
>>
>> return 0;
>> }
>>
>>
>>
>> On Sat, Oct 13, 2012 at 9:46 PM, I. Sanchez <sanchezmartin.ji at gmail.com>wrote:
>>
>>> Ok, I have done an initial implementation (just country geolocation for
>>> now). It is available at https://github.com/owlsec/suricata/tree/geoip
>>>
>>> When checking a packet, I take into account the flow source and
>>> destination IPs for the match-on condition, if a flow exists. However in my
>>> tests I have seen it is not working well... a geoip:src,US; rule will be
>>> triggered as well when talking HTTP to google.com from a non US source
>>> IP address.
>>>
>>> I am not sure about the reason of this behavior, so perhaps somebody
>>> could let me know what is wrong here.
>>>
>>> https://github.com/owlsec/suricata/blob/geoip/src/detect-geoip.c
>>>
>>> The relevant function is this one:
>>>
>>> static int DetectGeoipMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
>>>
>>>
>>> Packet *p, Signature *s, SigMatch *m)
>>>
>>>
>>> {
>>> DetectGeoipData *geoipdata = (DetectGeoipData *)m->ctx;
>>>
>>>
>>> int match = 0;
>>> int matches = 0;
>>> uint32_t ip;
>>>
>>> if (PKT_IS_IPV4(p))
>>> {
>>> if (geoipdata->flags & GEOIP_MATCH_SRC_FLAG || geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>>>
>>>
>>> {
>>> /* if there is a flow get SRC IP of the flow, not packet */
>>>
>>> if (p->flowflags & FLOW_PKT_TOCLIENT)
>>> ip = GET_IPV4_DST_ADDR_U32(p); /* the dst (from server to client) is our src */
>>> else
>>> ip = GET_IPV4_SRC_ADDR_U32(p);
>>> match = CheckGeoMatchIPv4(geoipdata, ip);
>>> if (match && geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>>>
>>>
>>> matches++;
>>> else
>>> return 1;
>>> }
>>>
>>> if (geoipdata->flags & GEOIP_MATCH_DST_FLAG || geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>>>
>>>
>>> {
>>> /* if there is a flow get DST IP of the flow, not packet */
>>>
>>> if (p->flowflags & FLOW_PKT_TOCLIENT)
>>> ip = GET_IPV4_SRC_ADDR_U32(p); /* the src (from server to client) is our dst */
>>> else
>>> ip = GET_IPV4_DST_ADDR_U32(p);
>>> match = CheckGeoMatchIPv4(geoipdata, ip);
>>> if (match && geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
>>>
>>>
>>> matches++;
>>> else
>>> return 1;
>>> }
>>>
>>> /* if matches == 2 is because match-on is "both" */
>>> if (matches == 2)
>>> return 1;
>>> }
>>>
>>> return 0;
>>> }
>>>
>>>
>>>
>>> On Fri, Oct 12, 2012 at 11:35 AM, I. Sanchez <sanchezmartin.ji at gmail.com
>>> > wrote:
>>>
>>>> Yes, I forgot to mention it. Negation will be supported.
>>>>
>>>>
>>>> On Fri, Oct 12, 2012 at 10:03 AM, Peter Manev <petermanev at gmail.com>wrote:
>>>>
>>>>> Excellent - thank you.
>>>>> comments bellow ...
>>>>>
>>>>> On Thu, Oct 11, 2012 at 10:07 PM, I. Sanchez <
>>>>> sanchezmartin.ji at gmail.com> wrote:
>>>>>
>>>>>> Good idea, I will implement multiple conditions(countries) in the
>>>>>> same rule. Let's use the <match-on><condition>+ syntax where match-on can
>>>>>> be src, dst, both or any.
>>>>>>
>>>>>>
>>>>>> alert http any any -> any any (msg:"GEOIP: IP located in
>>>>>> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002;
>>>>>> rev:1;)
>>>>>>
>>>>>> I can also support geoip:US; by assuming geoip:any,US; , for
>>>>>> simplicity.
>>>>>>
>>>>>
>>>>> I agree with the assumption here - i think it is good to assume so.
>>>>> I was thinking further on the matter and I am not sure if i am
>>>>> starting to sound annoying - but wouldn't it be nice if we can also negate
>>>>> geoip? :
>>>>> alert http any any -> any any (msg:"GEOIP: IP destination *NOT*located in US/Canada";
>>>>> * *geoip:*dst,!*US,CA; sid:3450002; rev:1;)
>>>>>
>>>>>
>>>>>
>>>>>> Regarding the city support, indeed the MaxMind DBs in their free
>>>>>> versions support cities in addition to countries although the accuracy
>>>>>> drops from 99.5% (for countries) to 78% in US (for cities), and I guess
>>>>>> much less accuracy in other countries.
>>>>>>
>>>>>> In the commercial DBs, they apparently support regions,
>>>>>> organizations... http://www.maxmind.com/en/geolocation_landing
>>>>>>
>>>>>> For now I will just implement support for countries, but we should
>>>>>> take this into account for the keyword syntax. I see some options:
>>>>>>
>>>>>> - Autodetect city vs country. I could detect whether the
>>>>>> condition is a known country code, and assume city otherwise. However this
>>>>>> will not work for regions, organizations...
>>>>>> - Allow -for future versions- the check type as an optional param
>>>>>> of the <match-on> condition. ie: geoip:src,city,Madrid;
>>>>>>
>>>>>>
>>>>> this would be awesome in my opinion.
>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Oct 11, 2012 at 9:02 PM, Peter Manev <petermanev at gmail.com>wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I think i love that new geoip keyword - thank you for the efforts !
>>>>>>>
>>>>>>> A couple of suggestions/requests if I may:
>>>>>>>
>>>>>>> 1.I agree/like the proposal - but I wonder if it would be possible
>>>>>>> to include multiples(maybe up to a certain number [32 or something] ) of
>>>>>>> countries - like:
>>>>>>> alert http any any -> any any (msg:"GEOIP: IP located in
>>>>>>> US/Germany/Canada/France";* geoip:src,US,DE,CA,FR*; sid:3450002;
>>>>>>> rev:1;)
>>>>>>>
>>>>>>> 2. As there is - *src, dst, both* - i think it would be nice if
>>>>>>> there is also "*any*" -
>>>>>>> alert http any any -> any any (msg:"GEOIP: some traffic to/from the
>>>>>>> Cayman Islands";* geoip:any,KY*; sid:3450005; rev:1;)
>>>>>>> any - meaning either source or destination.
>>>>>>>
>>>>>>> thanks a bunch!
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Oct 11, 2012 at 6:42 PM, Victor Julien <victor at inliniac.net>wrote:
>>>>>>>
>>>>>>>> On 10/11/2012 06:16 PM, I. Sanchez wrote:
>>>>>>>> > Hi,
>>>>>>>> >
>>>>>>>> > I am implementing support for IP address country geolocation in
>>>>>>>> > Suricata, and I wanted to ask your opinion about the syntax to be
>>>>>>>> used
>>>>>>>> > for the geoip keyword options.
>>>>>>>> >
>>>>>>>> > https://redmine.openinfosecfoundation.org/issues/559
>>>>>>>> >
>>>>>>>> > The keyword options would be:
>>>>>>>> >
>>>>>>>> > * Country code. ie: US
>>>>>>>> > * Match condition: match on source IP, match on destination IP,
>>>>>>>> or
>>>>>>>> > match on both.
>>>>>>>> >
>>>>>>>> > What do you think would be the best syntax for this?
>>>>>>>> >
>>>>>>>> > Some possibilities:
>>>>>>>> >
>>>>>>>> > * geoip:<src|dst|both>,<countrycode>;
>>>>>>>> > o alert http any any -> any any (msg:"GEOIP: IP located in
>>>>>>>> > US";*geoip:src,US*;sid:3450002;rev:1;)
>>>>>>>> > * geoip:<countrycode>,<src|dst|both>;
>>>>>>>> > o alert http any any -> any any (msg:"GEOIP: IP located in
>>>>>>>> > US";*geoip:US,src*;sid:3450002;rev:1;)
>>>>>>>>
>>>>>>>> Thanks for picking this up!
>>>>>>>>
>>>>>>>> Doesn't the geoip also allow for other types of data, such as city?
>>>>>>>> I'm
>>>>>>>> sure that if we have this in Suricata ppl will be interested in
>>>>>>>> buying
>>>>>>>> the more detailed databases as well.
>>>>>>>>
>>>>>>>> --
>>>>>>>> ---------------------------------------------
>>>>>>>> Victor Julien
>>>>>>>> http://www.inliniac.net/
>>>>>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>>>>>> ---------------------------------------------
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Oisf-devel mailing list
>>>>>>>> Oisf-devel at openinfosecfoundation.org
>>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Regards,
>>>>>>> Peter Manev
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Oisf-devel mailing list
>>>>>>> Oisf-devel at openinfosecfoundation.org
>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Peter Manev
>>>>>
>>>>>
>>>>
>>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121014/c142c139/attachment-0002.html>
More information about the Oisf-devel
mailing list