[Oisf-users] Geoip
Nafisa Mandliwala
nafisa.mandliwala at gmail.com
Tue Oct 8 19:27:19 UTC 2019
Hi,
I'm trying out the geoip feature. I have -
1. The libgeoip1 and libgeoip-dev installed.
2. Configured Suricata with "--enable-geoip" and have verified it by
running "suricata --build-info".
3. Updated path to maxmind db in suricata.yaml
I'm editing the following signature -
alert http any any -> any any (msg:"SURICATA HTTP unable to match response
to request"; flow:established,to_client;
app-layer-event:http.unable_to_match_response_to_request;
flowint:http.anomaly.count,+,1; classty pe:protocol-command-decode;
sid:2221010; rev:1; *geoip:any, US, UK;*)
While loading rules, Suricata errors out and doesn't load this rule-
8/10/2019 -- 12:12:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
8/10/2019 -- 12:12:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert http any any -> any any (msg:"SURICATA HTTP
unable to match response to request"; flow:established,to_client;
app-layer-event:http.unable_to_match_response_to_request;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
sid:2221010; rev:1; geoip:any, US, UK;)" from file
/etc/suricata/rules/http-events.rules at line 20
Any idea what I'm missing?
Thanks,
Nafisa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191008/18838197/attachment.html>
More information about the Oisf-users
mailing list