given the below log entry, what decides on which ip (scr_ip/dest_ip) it will resolve the geoip information
is there a way to control this?
this rule triggered the below alert:
drop ip any any → any any (msg:“GeoIP countrydrop”; geoip:!US,NL,GB,DE,DK,CA,BE,AU; sid:55555557; rev:1;)
{
_id: "096BhH8B8OKxNfe-Lml4",
_index: "logstash-alert-2022.03.13",
_score: null,
_source: {
"@timestamp": "2022-03-13T18:18:52.111Z",
"@version": "1",
alert: {
action: "blocked",
category: "",
gid: 1,
rev: 1,
severity: 3,
signature: "GeoIP countrydrop",
signature_id: 55555557
},
community_id: "1:xoNajfbvZU+hzhsYRDskNi3zH5Y=",
dest_ip: "my ip",
dest_port: 8582,
ether: {
dest_mac: "b4:na:na:na:na:a1",
src_mac: "00:17:10:8d:ed:0d"
},
event_type: "alert",
flow: {
bytes_toclient: 0,
bytes_toserver: 60,
pkts_toclient: 0,
pkts_toserver: 1,
start: "2022-03-13T14:18:52.111705-0400"
},
flow_id: 1751110604600409,
geoip: {
city_name: "Waxhaw",
continent_code: "NA",
coordinates: [
"26.0",
"59.0",
"-80.7278",
"34.9251"
],
country_code2: "US",
country_code3: "US",
country_name: "United States",
dma_code: 517,
ip: "**MY IP**",
latitude: 34.9251,
location: {
lat: 34.9251,
lon: -80.7278
},
longitude: -80.7278,
postal_code: "28173",
region_code: "NC",
region_name: "North Carolina",
timezone: "America/New_York"
},
host: "SELKS",
in_iface: "enp3s0f0",
packet: "tPvkjtShABcQje0NCABFAAAoI3YAAPIG63O5SX5kYhggINB2IYYXyCLQAAAAAFACBADFZwAAAAAAAAAA",
packet_info: {
linktype: 1
},
path: "/var/log/suricata/eve.json",
payload: "",
payload_printable: "",
proto: "TCP",
src_ip: "185.73.126.100",
src_port: 53366,
stream: 0,
timestamp: "2022-03-13T14:18:52.111705-0400",
type: "SELKS"
},
_type: "_doc",
sort: [
1647195532111
]
}