Integrate IPFire Location (new implementation for the geoip keyword) #6398
Conversation
mtremer
changed the title
|
Some initial thoughts:
Also important before merge, but may want to wait on more code review, etc:
Thanks. |
|
Thank you for taking some time to look at this.
I thought this is the only way we would take advantage of already existing rules. There is no point for rule writers to distinguish between what databases are being used.
Agreed. I didn't take time to figure out how unit tests work, yet.
What would these do? Is there some documentation you can point me to?
Would we be able to support building some third-party software, since the library is not part of any major distribution, yet. We have our own repositories which can be added for Debian. So for there is little reason to add libloc to major distributions because not that much software is using it, but this is obviously going to change with suricata becoming another user now.
I am not aware of anything. In fact, IPFire Location has a superset of features because IPv6 is supported. |
Yeah, its fine to use the geoip keyword. Just
Here's our existing
Yes, its pretty flexible.. We use a PPA to get |
We do not have any unofficial RPM packages, yet. Ideally we want this package to become parts of the distributions as quickly as possible and we do not want to maintain too many out-of-tree packages, simply because we do not have enough distribution diversity in our team to support all of them. We would be happy if people would join us and package libloc for their favourite distribution. |
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This currently only adds empty functions that do not do anything useful, yet. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Globally, people use some special country codes for special cases (e.g. anonymous proxies, satellite providers, anycast, etc.). IPFire Location preserves the original country code and codes this information in binary flags which are being checked instead. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch makes the module slightly more modular in order to be able to add support for additional keywords without any code duplication. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This allows matching for source, destination or both for anycast networks. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
@mtremer Any plans to support cities? Also, is there any info on how locations are acquired? |
No, there is not support planned for cities because there is little need for it and absolutely no reliable data that we can use.
Yes, the code that collects all information is part of the source repository: https://git.ipfire.org/?p=location/libloc.git;a=blob;f=src/python/location-importer.in;h=bee91868f66e3ea60c5146a1e41be713bbbe4142;hb=HEAD The basis is WHOIS information paired with the global routing table and some manual data: |
|
Warning: no commits in this PR have specified the following ticket(s): Please update the commit(s) and submit a new PR. |
|
I have updated the commit message. |
Thanks! Considering it also needs rebase, could you please submit a new PR, when you have the time? |
Thank you. I appreciate your response very much, but I have been spending a lot of time to resubmit the same PR again and again with only small changes. The requested changes to the commit message could have easily been added with the merge. I have already rebased this multiple times just to see the PR lying around for a long time. Is there anything else that needs to be done to get this finally merged so that I can combine things into one job, please? |
I think now it comes down to tests to prove that it works as expected, done with Suricata-Verify. This is even more important with this feature over something new as its re-using an existing rule keyword, so it has to behave very close, if not identical to the existing support provided by libmaxminddb, which I also means adding some more tests for our geoip support which is really low on tests at the moment. Basically it needs a champion to finish off the tedious details of adding a new feature. A build in |
|
Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks! |
This is a draft of a module that includes IPFire Location in suricata. The "geoip" keyword allows rule authors to detect (with a certain degree of confidence) where the source/destination host is located on the internet.
This module is loosely based on the existing GeoIP module which remains untouched. This module has been tested on suricata 7 and can be easily backported to earlier versions. It already has the advantage to support both, IPv6 and IPv4, whereas the first is lacking in the existing module. I also believe that libloc is substantially faster in looking up any IP addresses from the database.
I do not know what happens if someone tries to compile suricata with support for both, libloc and libgeoip. Potentially this should be checked in configure.
This module should also be extended to offer support for ASN matching (https://redmine.openinfosecfoundation.org/issues/4649).
I am looking forward to any feedback.