Latest Release - ASL 3.2.10 - Question about GeoIP

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Post Reply
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Latest Release - ASL 3.2.10 - Question about GeoIP

Unread post by Imaging »

From the release notes:

__

Changes in this release include adding GeoIP support to HIDS reporting using the free MaxMind GeoIP country database. Alerts will now include basic location information on attack sources. GeoIP data stored in /usr/share/GeoIP/GeoIP.dat will automatically be used in HIDS reporting.

__

Will the included logic for installing the free GeoIP db take into account if GeoIP.dat is already installed at /usr/share/GeoIP such that it won't overwrite a paid db with the free one?

Thanks.
Top
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Latest Release - ASL 3.2.10 - Question about GeoIP

Unread post by prupert »

Imaging wrote:Will the included logic for installing the free GeoIP db take into account if GeoIP.dat is already installed at /usr/share/GeoIP such that it won't overwrite a paid db with the free one?
The installation of the latest ossec-hids package as distributed by ASL has a requirement on the GeoIP package. I presume that if you have already installed GeoIP (from the package manager) and configured it with your own database that will keep working. We have seen that "rpm -V GeoIP" does not report modifications to the files (of which /usr/share/GeoIP/GeoIP.dat) owned by the GeoIP package.
Lemonbit Internet Dedicated Server Management
Top
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:
Contact scott

Re: Latest Release - ASL 3.2.10 - Question about GeoIP

Unread post by scott »

Correct, there is no version requirement on GeoIP at this time. It just needs to be installed in the right location (ie, FSB, dont deviate). And it will look for GeoIP.dat in the default location (again, FSB, dont deviate). If you have a commercial maxmind feed it will update that .dat file, and then be copied into /var/ossec/etc because this daemon operates in a chroot() context. If GeoIP.dat changes, it will be updated in the HIDS chroot on the same schedule AUM is configured to run.
Top
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Latest Release - ASL 3.2.10 - Question about GeoIP

Unread post by Imaging »

Great, thanks.
Top
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: Latest Release - ASL 3.2.10 - Question about GeoIP

Unread post by hostingguy »

In my case it is spitting out errors
2013/04/12 08:29:59 alerts(1276): ERROR: Cannot open GeoIP database: '/etc/GeoIP.dat'.
It is installed though
# rpm -qa | grep -i geoip
GeoIP-data-20090201-1.el5.centos.x86_64
GeoIP-1.4.8-1.1.el5.art.x86_64

It looks like it copied the file to /usr/share/GeoIP/GeoIP.dat which isn't where ossec is expecting it to be.
Is this a problem with the code/package?
Top
PhiWi
New Forum User
New Forum User
Posts: 3
Joined: Fri Aug 24, 2012 1:15 pm
Location: Munich, Germany

Re: Latest Release - ASL 3.2.10 - Question about GeoIP

Unread post by PhiWi »

I had the same problem.

Atomicorp support sent me this link:

https://www.atomicorp.com/wiki/index.ph ... oIP.dat.27.
ERROR: Cannot open GeoIP database: '/etc/GeoIP.dat'.
You can ignore this message. This feature is not currently used and this message is expected when events occur. The message is harmless and you can ignore it.
so it seems you can ignore the error messages.
Top
Post Reply

Return to “Atomic Protector (formerly ASL)”