Project

General

Profile

Bug #2765

GeoIP keyword depends on now discontinued legacy GeoIP database

Added by Bill Meeks 3 months ago. Updated 14 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

The "geoip" keyword functionality depends on the now discontinued GeoIP Legacy Free Database format. Maxmind, the creator and owner of the database, has removed the legacy-format GeoIP database files from their download site as of January 2, 2019 and now provides only the newer GeoIP2 format files with the "*.mmdb" database extension. This new format is different from, and incompatible with, that of the GeoIP library and database currently used by Suricata.

The new GeoIP2 format requires use of the libmaxminddb library and its API. Details can be found here: https://github.com/maxmind/libmaxminddb/blob/master/doc/libmaxminddb.md

The legacy format GeoIP database files have been removed from the Maxmind web site and are no longer available. See this post: https://support.maxmind.com/geolite-legacy-discontinuation-notice/

Without a changeover to the new Maxmind DB library, the geoip keyword will cease to function since the required database is no longer available.

History

#1

Updated by Bill Meeks 2 months ago

  • File patch-geoip2.diff added
#2

Updated by Bill Meeks 2 months ago

  • File patch-geoip2.diff added
#3

Updated by Peter Manev 2 months ago

  • Priority changed from High to Normal

Thank you for opening an issue tracker and the contribution.
Could you please resubmit the code following the guidelines here -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
and here
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Code_Submission_Quality_Criteria

Thank you

#4

Updated by Bill Meeks 2 months ago

Yes, I will submit it as a pull request. My Suricata repo clone is quite ancient, though. So give me a day or two to refresh it and get the pull request submitted.

Bill

#5

Updated by Victor Julien 2 months ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 4.1.3

Since the code looks fairly nonintrusive I think we can target this at the stable branch.

#6

Updated by Victor Julien 2 months ago

  • Assignee changed from Victor Julien to Bill Meeks
#7

Updated by Bill Meeks 2 months ago

  • File deleted (patch-geoip2.diff)
#8

Updated by Bill Meeks 2 months ago

  • Status changed from Assigned to Resolved

Patch is ready for final review and merge here: https://github.com/OISF/suricata/pull/3622

#9

Updated by Bill Meeks 2 months ago

  • File deleted (patch-geoip2.diff)
#10

Updated by Victor Julien 14 days ago

  • Target version changed from 4.1.3 to 4.1.4

Re-targeting to 4.1.4 as things are not merged pending some changes to how the new code/feature interacts with QA.

Also available in: Atom PDF