Suricata GEO IP error

[ACCGAGTT]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

32GB

Storage for /

90GB

Storage for /nsm

100GB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Created suricata alert for GEOIP alerting :
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Connection to russia"; geoip:RU; sid:55555559; rev:1;

I cannot locate instructions on how to install the GeoIP support. I do have MaxMind database access and account.

Is there documentation that points out how to get this to work?

Thank you in advance

Suricata.log:
[11 - Suricata-Main] 2023-11-29 07:11:43 Info: logopenfile: stats output device (regular) initialized: stats.log
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect-geoip: no GeoIP support built in, needed for geoip keyword
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect: error parsing signature "alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Connection to russia"; geoip:RU; sid:55555559; rev:1;)" from file /etc/suricata/rules/all.rules at line 45613
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect-geoip: no GeoIP support built in, needed for geoip keyword
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect: error parsing signature "alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Connection to china"; geoip:CN; sid:55555558; rev:1;)" from file /etc/suricata/rules/all.rules at line 45614
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect-geoip: no GeoIP support built in, needed for geoip keyword
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect: error parsing signature "alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Connection to belarus"; geoip:BY; sid:55555557; rev:1;)" from file /etc/suricata/rules/all.rules at line 45615
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect-geoip: no GeoIP support built in, needed for geoip keyword
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect: error parsing signature "alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Connection to Vietnam"; geoip:VN; sid:55555556; rev:1;)" from file /etc/suricata/rules/all.rules at line 45616
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect-geoip: no GeoIP support built in, needed for geoip keyword
[11 - Suricata-Main] 2023-11-29 07:11:45 Error: detect: error parsing signature "alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Connection to India"; geoip:IN; sid:55555555; rev:1;)" from file /etc/suricata/rules/all.rules at line 45617
[11 - Suricata-Main] 2023-11-29 07:11:45 Info: detect: 1 rule files processed. 35396 rules successfully loaded, 5 rules failed
[11 - Suricata-Main] 2023-11-29 07:11:45 Info: threshold-config: Threshold config parsed: 0 rule(s) found

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[TOoSmOotH]

I created an issue for this. We need to compile in geoip support and add the appropriate libraries.

#11901

[ACCGAGTT]

thank you, is there a manual workaround I could apply?

[TOoSmOotH]

It has to be re-compiled so no. You will have to wait until .40 is released which currently has no release date set.

[ACCGAGTT]

thank you for answering

[dougburks]

Not a workaround for Suricata GeoIP but for GeoIP in general, Elasticsearch has it built in and should already be applying GeoIP lookups to some of your data. Try going to SOC Dashboards and selecting one of the GeoIP dashboards at the bottom of the list:

If you wanted to look for traffic to your countries of interest, you could then create a custom query and either bookmark the query in your browser or add it to the default list of queries in SOC itself:
https://docs.securityonion.net/en/2.4/dashboards.html#query-bar
https://docs.securityonion.net/en/2.4/soc-customization.html#custom-queries

[ACCGAGTT]

thank you Doug. This can do for now while I wait for suricata to have this enabled.