[Oisf-users] [EXT] Geoip

Nafisa Mandliwala nafisa.mandliwala at gmail.com
Wed Oct 9 19:20:54 UTC 2019 

I've set the file permissions for GeoLite2-Country.mmdb to -rwxrwxrwx, it
still shows the signature parsing error.

I'm guessing this error has something to do with loading the signatures and
not accessing the db.

On Wed, Oct 9, 2019 at 8:24 AM Cloherty, Sean E <scloherty at mitre.org> wrote:

> Did you give suri permissions to the file?
>
>
>
> *From:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> *On
> Behalf Of *Nafisa Mandliwala
> *Sent:* Tuesday, October 8, 2019 3:27 PM
> *To:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* [EXT] [Oisf-users] Geoip
>
>
>
> Hi,
>
>
>
> I'm trying out the geoip feature. I have -
>
> 1. The libgeoip1 and libgeoip-dev installed.
>
> 2. Configured Suricata with "--enable-geoip" and have verified it by
> running "suricata --build-info".
>
> 3. Updated path to maxmind db in suricata.yaml
>
>
>
> I'm editing the following signature -
>
> alert http any any -> any any (msg:"SURICATA HTTP unable to match response
> to request"; flow:established,to_client;
> app-layer-event:http.unable_to_match_response_to_request;
> flowint:http.anomaly.count,+,1; classty    pe:protocol-command-decode;
> sid:2221010; rev:1; *geoip:any, US, UK;*)
>
>
>
> While loading rules, Suricata errors out and doesn't load this rule-
>
> 8/10/2019 -- 12:12:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - Signature combines packet specific matches (like dsize, flags, ttl) with
> stream / state matching by matching on app layer proto (like using http_*
> keywords).
> 8/10/2019 -- 12:12:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert http any any -> any any (msg:"SURICATA
> HTTP unable to match response to request"; flow:established,to_client;
> app-layer-event:http.unable_to_match_response_to_request;
> flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
> sid:2221010; rev:1; geoip:any, US, UK;)" from file
> /etc/suricata/rules/http-events.rules at line 20
>
>
>
> Any idea what I'm missing?
>
>
>
> Thanks,
>
> Nafisa
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191009/05c73a81/attachment-0001.html>

More information about the Oisf-users mailing list