Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
When I use Docker to run Suricata, I am unable to turn on geoip
I am using the latest version of the image jasonish/puricata
system is centos7.6
I am download geoip from https://www.maxmind.com/en/accounts/951689/geoip/downloads just now
My Docker Run Command is
I have enabled it in my configuration file
geoip database:/usr/local/share/GeoLite2/GeoLite2 Country.mmdb
Outputs. live log. types. alert. geoip: true
But there is no information about geoip loaded in my startup log, and there is also no information about geoip in the generated alarm log
I am using curl http://testmynids.org/uid/index.html To trigger alarm messages
I executed the Suricata – build info command in the Docker container, which indicates that it supports GeoIP2 support
Do you have any GeoIP text rules created or enabled? You must have corresponding text rules to use along with the GeoIP database.
Enabling GeoIP in the YAML conf file only configures Suricata to lookup IP addresses in the GeoIP database. It does not provide the rules necessary to inspect the traffic and actually perform the geo-location. Here is an example GeoIP text rule that detects IP addresses originating from Japan:
alert ip any any -> any any (msg:"GeoIP from JP,Japan "; geoip:JP; sid:55555555; rev:1;)
Note that it uses the 'geoip:" keyword followed by the target country code.
I know about this, and I have also tested it this way. What I want to know is whether Suricata supports outputting geoip information (such as city, region, longitude and latitude) to alert logs
No, it only outputs the message from the text rule and the normal alert data such as timestamp, source and destination IP addresses, etc.
Okay, I understand. Thank you. I’ll write my own program and complete this part of the logic myself. Thank you again