Fix Issue 2765 - rule option: migrate to GeoIP2 database and libmaxminddb API.

[bmeeks8]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• [x ] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
• [ x] I have signed the Open Information Security Foundation contribution agreement at https://suricata-ids.org/about/contribution-agreement/
• [x ] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket: #2765

Describe changes:

• Update "geoip" rule option support code to use the libmaxminddb library for reading "iso_country" code for an IP address from the GeoIP2/GeoLite2 database format. The legacy GeoIP database format and supporting library (libgeoip) has been discontinued by MaxMind and replaced by GeoIP2 and the libmaxminddb library.

PRScript output (if applicable):

[bmeeks8]

Apparently there is no libmaxminddb library package available for Cygwin, thus the test build on appveyor is failing because it says it cannot find the library. I've searched the web and did not find a binary package for Cygwin I could reference. I did find source code for maybe creating a binary package, though, using cygport.

So does this mean "geoip" support in Suricata is going to die with the end-of-life of the legacy GeoIP database, or is there another alternative for including the GeoIP2 format supported by libmaxminddb in Suricata?

[victorjulien]

Thanks for taking on this work Bill! Some minor questions/requests.

[victorjulien]

Why is the string copied here? It seems unnecessary. If it is needed, please use SCStrdup instead.

[bmeeks8]

The library uses memory-mapped file I/O, so there is a remote chance that a string pointer returned may be voided later, especially if the database is closed. The MaxMind sample code makes a copy of the string, so I felt that was the safer route here. I will switch to the SCStrdup() function.

[bmeeks8]

After another more careful look I realized the function needed here is strndup() (a string copy with specified length) and not strdup(). This is because the MaxMind DB entries are not null-terminated strings. The data length is given as part of the returned data structure. I did not find an equivalent Suricata function for strndup(). I see SCStrdup() but I do not see SCStrndup().

[victorjulien]

Ok fair enough, but then I would prefer a proper SCStrndup implementation to be introduced. It should be quite simple to add that.

[victorjulien]

Our Windows support efforts are now focused on MinGW, which does have a libmaxminddb package. In any case I would like to get this work merged, even if not all platforms support it.

[victorjulien]

On 14-01-19 14:25, Bill Meeks wrote: Good idea. The default should generally be "DATADIR/GeoIP/GeoLite2-Country.mmdb". I will make the change.

Some tools/libs, like libmagic, will fall back to a built-in default that is correct for most (all?) platforms if passed a NULL. Might be worth having a look if that is true here as well.

[bmeeks8]

I believe all review comments have been resolved and this request is ready for acceptance and merging.