18.7.10 Suricata 4.1.2 GeoIP

[MakesSense]

Hi

Anyone else having problems with geoip rules in Suricata 4.2.1? Every time I try to load a rule with geoip Suricata throws an error...

[The_Sage]

GEO Ip has been made redundant in Suricata.

Use Firewall alias, Geo IP instead. (cant find link)

[franco]

This seems to be a problematic complication with the GeoIP database provider not publishing its database (in the old format) anymore:

https://svnweb.freebsd.org/ports/head/UPDATING?r1=490211&r2=490210&pathrev=490211

19.1 removes the GeoIP database from intrusion prevention since it can't be used anymore and we'll see if this also impacts firewall aliases.

But it's correct that firewall aliases is the way to go whether or not we have to fix them to stay operational.


Cheers,
Franco

[chemlud]

I have geoblocking activated in suricata as well, might this be related to the "loosing interface" issue with 18.7.10?

[MakesSense]

Thanks for the info! I will use firewall for geoblock then:-)

[franco]

@chemlud Could be, but entirely unsure.

We checked the firewall aliases GeoIP and it uses the version 2 database so we're good on this front. Best to migrate now...


Cheers,
Franco

[MakesSense]

We checked the firewall aliases GeoIP and it uses the version 2 database so we're good on this front. Best to migrate now...


Cheers,
Franco

Super, thanks franco! Migration done!

[chemlud]

Any hint on HOW-TO move? :-)

[franco]

Yes and no, there is a small introduction at https://docs.opnsense.org/manual/aliases.html#aliases-geoip although it displays the older GeoIP selector. It also later explains aliases in rules.


Cheers,
Franco

[chemlud]

OK, so I created an Alias with the respective countries and a block rule really high up with "Destination" -> alias with countries for geoblocking. Correct? :-)

[franco]

Yes, you want these in your LAN (or OPT) interfaces high up.

When using floating rules make sure to select "Quick" option as otherwise other rules could overwrite the decision.


Cheers,
Franco