Problem with geoip plugin and IP whitelist filtering

Elastic Stack Logstash
1

Good morning !

I am using Logstash to fetch data by Wazuh (HIDS) and Suricata (NIDS). So I use the Geoip plugin to geolocate the IPs that connect to my server.

My first problem is this:

When I do a test by connecting with the wrong password to my server, it creates an alert of "user authentication failed" by giving the source ip under the "data srcip" field that I give to geoip so that it analysis. On Elasticsearch, I see the resolution of the geolocation appear, but this one gives me the field "geoip.country_name" equal to "Russia" as well as a timezone in Moscow, whereas if look at my public ip on Maxmind this one corresponds well to my country which is France. Strange no?

Then, my basic idea was to compare the IPs received with whitelists of IPs, linked with the rule that runs when a bad password occurs.

So far I have tried:

    if [rule][id] == "87201" {
      if [geoip][ip] == "xx.xx.xx.xx" {
          mutate {
               add_field => [ "Possible false positive", "1" ]
          }
      }  
    }

I would therefore like that in this case there is a tag that it is a false positive. Mias, it doesn't work, no filter is done. Note that the geoip is called before this code, so the field does exist...

2

First what version of Logstash are you running?

Second Make sure you are comparing the same MaxMind Databases databases...

Logstash for the geoip plugin see here uses GeoLite2 (the open source free version) see here

If you went and tested the IP against MaxMind Site here for example

That is the Paid / Commercial Version, they are not the same... The data in the Commercial Paid version is better, free is not bad ... but it is not as accurate / complete... please read about the differences on the MaxMind site

If you are truly want to use this for a security use case you might consider purchasing the commercial version.

3

Hello,

I am using the latest version of Logstash.

I didn't know there was such a difference, I thought it was big to find myself in Russia...

Thanks for your response !

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.