I have been solving one problem with Suricata for a very long time. The problem is related with geoip. I created my own database of IP addresses, converted it to mmdb format using Perl, and set up the suricata configuration file. However, after entering a simple rule, for example: “alert ip any any -> any any (msg:” GeoIP from CANADA “; flow: to_server; geoip: CA; sid: 2; rev: 1;)”
there is no response in the log. I am from the Czech Republic and I perform the exam via VPN from Canada. Don’t know what could be causing the rule wasn’t activated? Thank a lot.
I solved the problem. The issue was in the json file which is source file to generate an mdb file. I had the wrong netmask in the json file. I use a combined format of IPv6 and IPv4 (for example like this: ::188.8.131.52/120). If you create IPv6 adress in this format you have to recalculate the netmask. For examle /24 in ipv4 - 96 + 24 = 120
96 - is count of bits of ipv6 ( :: )
24 - is count of bits of IPv4.
I hope it’s understandable and it will help to someone.