GeoIP¶

This guide for installation of Suricata with GeoIP enabled.

This guide uses Ubuntu LTS 14.04 64bit.

We need the following packages installed first:

apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev

For the GeoIP we need:

apt-get install libgeoip1 libgeoip-dev

To download and build Suricata, enter the following:

wget http://www.openinfosecfoundation.org/download/suricata-2.0.11.tar.gz
tar -xvzf suricata-2.0.11.tar.gz
cd suricata-2.0.11

NOTE: 2.0.11 is the stable version at the moment of this writing.

Then we configure, compile and install:

./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/  \
--enable-geoip \
&& make clean && make && make install && ldconfig

When you run

suricata --build-info

make sure you have:

libgeoip:                                yes

Now you can use rules with the geoip word.
geoip <src|dst|both>,<countrycode1,countrycode2...> .

Examples:
geoip:src,!ES,JP,US,UK,PT;sid:1; --> this will trigger if src IP of the packet is not ES or JP or US or UK or PT
geoip:JP;sid:1; ---> this will trigger if the src OR dst IPs are in Japan.

alert ip any any -> any any (msg:"GeoIP from JP,Japan "; geoip:JP; sid:55555555; rev:1;)

Files (0)

Project

General

Profile

Suricata

Wiki

GeoIP¶