Closed jrossi closed 10 years ago
jrossi
commented
10 years ago The patch to ossec source code has been merged and committed. Users should download and install the Maxmind API and DB files before enabling this feature on OSSEC.
We need to document this.
Note: This comment has been automatically migrated from Bitbucket Created by jbcheng on 2012-08-23 22:34:48+00:00, last updated: 2012-08-23 22:35:16+00:00
jrossi
commented
10 years ago === Documentation for Adding GeoIP Support -- added support for GeoIP lookup using Maxmind database and API (xavier)
output to alerts.log, and syslog forwarding, and maild output ------ Sample procedure to enable GeoIP (adjust as needed) {{{ Step 1. get and install Maxmind GeoIP API wget http://www.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz tar xzvf GeoIP-1.4.8.tar.gz cd GeoIP-1.4.8 ./configure make su make install"
Step 2. get Maxmind GeoIP DB wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz gzip -d GeoLiteCity.dat.gz wget ttp://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz gzip -d GeoLiteCityv6.dat.gz su cp GeoLiteCity*.dat /var/ossec/etc/
Step 3. Compile OSSEC with GeoIP enabled, modify config get ossec-hids-2.7.tar.gz tar xzvf ossec-hids-2.7.tar.gz cd ossec-hids-2.7 cd src make setgeoip cd .. su ./install.sh
------ modify etc/ossec.conf
<alerts>
<!-- to add GeoIP info in alerts -->
<use_geoip>yes</use_geoip>
</alerts>------ update etc/internal_options.conf
maild.geoip=1
------ restart OSSEC /var/ossec/bin/ossec-control restart }}}
Note: This comment has been automatically migrated from Bitbucket Created by jbcheng on 2012-10-01 23:13:24+00:00
http://blog.rootshell.be/2012/06/05/attackers-geolocation-in-ossec/
Note: This issue has been automatically migrated from Bitbucket Created by jbcheng on 2012-08-15 00:57:51+00:00, last updated: 2012-10-01 23:13:51+00:00