Project

General

Profile

Actions

Bug #3067

closed

GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

The "geoip" keyword functionality depends on the now discontinued GeoIP Legacy Free Database format. Maxmind, the creator and owner of the database, has removed the legacy-format GeoIP database files from their download site as of January 2, 2019 and now provides only the newer GeoIP2 format files with the "*.mmdb" database extension. This new format is different from, and incompatible with, that of the GeoIP library and database currently used by Suricata.

The new GeoIP2 format requires use of the libmaxminddb library and its API. Details can be found here: https://github.com/maxmind/libmaxminddb/blob/master/doc/libmaxminddb.md

The legacy format GeoIP database files have been removed from the Maxmind web site and are no longer available. See this post: https://support.maxmind.com/geolite-legacy-discontinuation-notice/

Without a changeover to the new Maxmind DB library, the geoip keyword will cease to function since the required database is no longer available.

Backport from https://github.com/OISF/suricata/pull/3985:
https://github.com/OISF/suricata/pull/3985/commits/1f267b49e9dabfea7aec99cbf441ec8f0f368cfe
https://github.com/OISF/suricata/pull/3985/commits/41b85780b8e565bce8bb1b1335981ea6bc646918
https://github.com/OISF/suricata/pull/3985/commits/d673abfebbf28abc807057785bb26cfb53184358
https://github.com/OISF/suricata/pull/3985/commits/686dc8856f6696adebedbd0dc71f505e4ce843bd


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #2765: GeoIP keyword depends on now discontinued legacy GeoIP databaseClosedBill MeeksActions
Actions

Also available in: Atom PDF