[Oisf-users] duplicate signature

Vieri rentorbuy at yahoo.com
Thu Feb 23 08:12:20 UTC 2017



----- Original Message -----

From: Victor Julien <lists at inliniac.net>
>> # grep 5000001 /etc/suricata/rules/*
>> /etc/suricata/rules/local.rules:drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)
>
> Could you be loading the same rule file twice?


Right. My bad. I wrongly included the file twice.

By the way, the negating rule example in 
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/GeoIP should be used with care. Never use that with alert/drop ip any any -> any any or the system will come to a crawl with 100% CPU. I guess that's because the suricata equivalent of "geoiplookup <private_ip>" evaluates to true when using ! in the rule.

Maybe the line that reads:
geoip:src,!ES,JP,US,UK,PT;sid:1; --> this will trigger if src IP of the packet is not ES or JP or US or UK or PT
should be changed to:
geoip:src,!ES,JP,US,GB,PT;sid:1; --> this will trigger if src IP of the packet is not ES or JP or US or GB or PT or if it's in a private address range

(note that UK doesn't exist - it could be either GB, United Kingdom or UA, Ukraine)

Vieri



More information about the Oisf-users mailing list