[Oisf-devel] geoip keyword syntax
Brandon Ganem
brandonganem+oisf at gmail.com
Thu Oct 11 16:38:05 UTC 2012
My vote goes to <match on>,<condition>
So, alert http any any -> any any (msg:"GEOIP: IP located in US";*
geoip:src,US*;sid:3450002;rev:1;)
On Thu, Oct 11, 2012 at 12:16 PM, I. Sanchez <sanchezmartin.ji at gmail.com>wrote:
> Hi,
>
> I am implementing support for IP address country geolocation in Suricata,
> and I wanted to ask your opinion about the syntax to be used for the geoip
> keyword options.
>
> https://redmine.openinfosecfoundation.org/issues/559
>
> The keyword options would be:
>
> - Country code. ie: US
> - Match condition: match on source IP, match on destination IP, or
> match on both.
>
> What do you think would be the best syntax for this?
>
> Some possibilities:
>
> - geoip:<src|dst|both>,<countrycode>;
> - alert http any any -> any any (msg:"GEOIP: IP located in US";*
> geoip:src,US*;sid:3450002;rev:1;)
> - geoip:<countrycode>,<src|dst|both>;
> - alert http any any -> any any (msg:"GEOIP: IP located in US";*
> geoip:US,src*;sid:3450002;rev:1;)
>
>
> Regards,
>
> I. Sanchez
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121011/f9ac7230/attachment-0002.html>
More information about the Oisf-devel
mailing list