When I use Docker to run Suricata, I am unable to turn on geoip

songshengping · December 19, 2023, 7:11am

Please include the following information with your help request:

Suricata version

Operating system and/or Linux distribution

How you installed Suricata (from source, packages, something else)
When I use Docker to run Suricata, I am unable to turn on geoip

I am using the latest version of the image jasonish/puricata
system is centos7.6
I am download geoip from https://www.maxmind.com/en/accounts/951689/geoip/downloads just now
My Docker Run Command is

I have enabled it in my configuration file

geoip database:/usr/local/share/GeoLite2/GeoLite2 Country.mmdb
Outputs. live log. types. alert. geoip: true

But there is no information about geoip loaded in my startup log, and there is also no information about geoip in the generated alarm log

I am using curl http://testmynids.org/uid/index.html To trigger alarm messages

I executed the Suricata – build info command in the Docker container, which indicates that it supports GeoIP2 support

bmeeks · December 20, 2023, 1:16pm

Do you have any GeoIP text rules created or enabled? You must have corresponding text rules to use along with the GeoIP database.

Enabling GeoIP in the YAML conf file only configures Suricata to lookup IP addresses in the GeoIP database. It does not provide the rules necessary to inspect the traffic and actually perform the geo-location. Here is an example GeoIP text rule that detects IP addresses originating from Japan:

alert ip any any -> any any (msg:"GeoIP from JP,Japan "; geoip:JP; sid:55555555; rev:1;)

Note that it uses the 'geoip:" keyword followed by the target country code.

songshengping · December 21, 2023, 1:36am

I know about this, and I have also tested it this way. What I want to know is whether Suricata supports outputting geoip information (such as city, region, longitude and latitude) to alert logs

bmeeks · December 21, 2023, 2:42am

No, it only outputs the message from the text rule and the normal alert data such as timestamp, source and destination IP addresses, etc.

songshengping · December 21, 2023, 2:56am

Okay, I understand. Thank you. I’ll write my own program and complete this part of the logic myself. Thank you again

Topic		Replies	Views
TCP reverse shell detection Rules rules , suricata	1	671	November 1, 2022
SSH alert direction Rules	7	742	October 10, 2023
Fast.log enabled but not generating logs Help suricata	7	900	July 11, 2023
Suricata cannot audit the http protocol of mirrored data Help community	1	931	September 28, 2021
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	450	August 10, 2023

When I use Docker to run Suricata, I am unable to turn on geoip

Related Topics