From the release notes:
__
Changes in this release include adding GeoIP support to HIDS reporting using the free MaxMind GeoIP country database. Alerts will now include basic location information on attack sources. GeoIP data stored in /usr/share/GeoIP/GeoIP.dat will automatically be used in HIDS reporting.
__
Will the included logic for installing the free GeoIP db take into account if GeoIP.dat is already installed at /usr/share/GeoIP such that it won't overwrite a paid db with the free one?
Thanks.
Latest Release - ASL 3.2.10 - Question about GeoIP
Re: Latest Release - ASL 3.2.10 - Question about GeoIP
The installation of the latest ossec-hids package as distributed by ASL has a requirement on the GeoIP package. I presume that if you have already installed GeoIP (from the package manager) and configured it with your own database that will keep working. We have seen that "rpm -V GeoIP" does not report modifications to the files (of which /usr/share/GeoIP/GeoIP.dat) owned by the GeoIP package.Imaging wrote:Will the included logic for installing the free GeoIP db take into account if GeoIP.dat is already installed at /usr/share/GeoIP such that it won't overwrite a paid db with the free one?
Lemonbit Internet Dedicated Server Management
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Latest Release - ASL 3.2.10 - Question about GeoIP
Correct, there is no version requirement on GeoIP at this time. It just needs to be installed in the right location (ie, FSB, dont deviate). And it will look for GeoIP.dat in the default location (again, FSB, dont deviate). If you have a commercial maxmind feed it will update that .dat file, and then be copied into /var/ossec/etc because this daemon operates in a chroot() context. If GeoIP.dat changes, it will be updated in the HIDS chroot on the same schedule AUM is configured to run.
Re: Latest Release - ASL 3.2.10 - Question about GeoIP
Great, thanks.
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
Re: Latest Release - ASL 3.2.10 - Question about GeoIP
In my case it is spitting out errors
It looks like it copied the file to /usr/share/GeoIP/GeoIP.dat which isn't where ossec is expecting it to be.
Is this a problem with the code/package?
It is installed though2013/04/12 08:29:59 alerts(1276): ERROR: Cannot open GeoIP database: '/etc/GeoIP.dat'.
# rpm -qa | grep -i geoip
GeoIP-data-20090201-1.el5.centos.x86_64
GeoIP-1.4.8-1.1.el5.art.x86_64
It looks like it copied the file to /usr/share/GeoIP/GeoIP.dat which isn't where ossec is expecting it to be.
Is this a problem with the code/package?
Re: Latest Release - ASL 3.2.10 - Question about GeoIP
I had the same problem.
Atomicorp support sent me this link:
https://www.atomicorp.com/wiki/index.ph ... oIP.dat.27.
Atomicorp support sent me this link:
https://www.atomicorp.com/wiki/index.ph ... oIP.dat.27.
so it seems you can ignore the error messages.ERROR: Cannot open GeoIP database: '/etc/GeoIP.dat'.
You can ignore this message. This feature is not currently used and this message is expected when events occur. The message is harmless and you can ignore it.