18.7.10 Suricata 4.1.2 GeoIP

Started by MakesSense, January 13, 2019, 10:25:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 13, 2019, 10:25:03 PM
Hi

Anyone else having problems with geoip rules in Suricata 4.2.1? Every time I try to load a rule with geoip Suricata throws an error...
January 14, 2019, 08:31:43 AM #1
GEO Ip has been made redundant in Suricata.

Use Firewall alias, Geo IP instead. (cant find link)
January 14, 2019, 08:51:18 AM #2
This seems to be a problematic complication with the GeoIP database provider not publishing its database (in the old format) anymore:

https://svnweb.freebsd.org/ports/head/UPDATING?r1=490211&r2=490210&pathrev=490211

19.1 removes the GeoIP database from intrusion prevention since it can't be used anymore and we'll see if this also impacts firewall aliases.

But it's correct that firewall aliases is the way to go whether or not we have to fix them to stay operational.


Cheers,
Franco

January 14, 2019, 08:53:13 AM #3
I have geoblocking activated in suricata as well, might this be related to the "loosing interface" issue with 18.7.10?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 14, 2019, 09:21:20 AM #4
Thanks for the info! I will use firewall for geoblock then:-)

January 14, 2019, 10:18:44 AM #5
@chemlud Could be, but entirely unsure.

We checked the firewall aliases GeoIP and it uses the version 2 database so we're good on this front. Best to migrate now... :)


Cheers,
Franco
January 14, 2019, 10:41:54 AM #6
Quote from: franco on January 14, 2019, 10:18:44 AM
We checked the firewall aliases GeoIP and it uses the version 2 database so we're good on this front. Best to migrate now... :)


Cheers,
Franco

Super, thanks franco! Migration done! :)
January 14, 2019, 10:58:06 AM #7
Any hint on HOW-TO move? :-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 14, 2019, 11:41:22 AM #8
Yes and no, there is a small introduction at https://docs.opnsense.org/manual/aliases.html#aliases-geoip although it displays the older GeoIP selector. It also later explains aliases in rules.


Cheers,
Franco
January 14, 2019, 12:06:43 PM #9
OK, so I created an Alias with the respective countries and a block rule really high up with "Destination" -> alias with countries for geoblocking. Correct? :-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 14, 2019, 03:13:27 PM #10
Yes, you want these in your LAN (or OPT) interfaces high up.

When using floating rules make sure to select "Quick" option as otherwise other rules could overwrite the decision.


Cheers,
Franco
Print
Go Up Pages1
User actions