geoip
^^^^^
-The geoip keyword enables (you) to match on the source, destination or
+The geoip keyword enables matching on the source, destination or
source and destination IPv4 addresses of network traffic, and to see to
which country it belongs. To be able to do this, Suricata uses the GeoIP2
API of MaxMind.
geoip: both,US,CA,UK;
geoip: any,CN,IR;
-So, you can see you can use the following to make clear on which
-direction you would like to match
-
====== =============================================================
Option Description
====== =============================================================
-both Both directions have to match with the given geoip(s)
-any One of the directions has to match with the given geoip(s).
-dest If the destination matches with the given geoip.
+both Both source and destination have to match with the given geoip(s)
+any Either the source or the destination has to match with the given geoip(s).
+dest The destination matches with the given geoip.
src The source matches with the given geoip.
====== =============================================================
-The keyword only supports IPv4. As it uses the GeoIP2 API of MaxMind,
+geoip currently only supports IPv4. As it uses the GeoIP2 API of MaxMind,
libmaxminddb must be compiled in. You must download and install the
GeoIP2 or GeoLite2 database editions desired. Visit the MaxMind site
-at https://dev.maxmind.com/geoip/geoip2/geolite2/ for details.
+at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data for details.
You must also supply the location of the GeoIP2 or GeoLite2 database
file on the local system in the YAML-file configuration (for example)::
projects / thirdparty / suricata.git / commitdiff
