[Oisf-users] [EXT] Geoip

[Cloherty, Sean E]

Did you give suri permissions to the file?

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Nafisa Mandliwala
Sent: Tuesday, October 8, 2019 3:27 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [EXT] [Oisf-users] Geoip

Hi,

I'm trying out the geoip feature. I have -
1. The libgeoip1 and libgeoip-dev installed.
2. Configured Suricata with "--enable-geoip" and have verified it by running "suricata --build-info".
3. Updated path to maxmind db in suricata.yaml

I'm editing the following signature -
alert http any any -> any any (msg:"SURICATA HTTP unable to match response to request"; flow:established,to_client; app-layer-event:http.unable_to_match_response_to_request; flowint:http.anomaly.count,+,1; classty    pe:protocol-command-decode; sid:2221010; rev:1; geoip:any, US, UK;)

While loading rules, Suricata errors out and doesn't load this rule-
8/10/2019 -- 12:12:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
8/10/2019 -- 12:12:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"SURICATA HTTP unable to match response to request"; flow:established,to_client; app-layer-event:http.unable_to_match_response_to_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221010; rev:1; geoip:any, US, UK;)" from file /etc/suricata/rules/http-events.rules at line 20

Any idea what I'm missing?

Thanks,
Nafisa

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191009/e107c45b/attachment.html>