From 8c0d58302f9cdef8ac556745260d9851d35ccb20 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sun, 24 Nov 2019 15:24:40 -0500 Subject: [PATCH 01/13] Move to libmaxminddb, for more current GeoIP support. --- src/Makefile | 2 +- src/analysisd/analysisd.c | 28 ++++++----- src/analysisd/analysisd.h | 3 ++ src/analysisd/config.h | 4 +- src/analysisd/decoders/geoip.c | 86 +++++++++++++++++----------------- src/analysisd/testrule.c | 15 ++++-- 6 files changed, 78 insertions(+), 60 deletions(-) diff --git a/src/Makefile b/src/Makefile index 8014e9e3fc..39ea05148e 100644 --- a/src/Makefile +++ b/src/Makefile @@ -236,7 +236,7 @@ endif # USE_ZEROMQ ifneq (,$(filter ${USE_GEOIP},auto yes y Y 1)) DEFINES+=-DLIBGEOIP_ENABLED - OSSEC_LDFLAGS+=-lGeoIP + OSSEC_LDFLAGS+=-lmaxminddb endif # USE_GEOIP ifneq (,$(filter ${USE_SQLITE},auto yes y Y 1)) diff --git a/src/analysisd/analysisd.c b/src/analysisd/analysisd.c index a220f4421b..40c002ee79 100644 --- a/src/analysisd/analysisd.c +++ b/src/analysisd/analysisd.c @@ -25,7 +25,7 @@ #include "config.h" #include "rules.h" #include "stats.h" -#include "eventinfo.h" + #include "accumulator.h" #include "analysisd.h" #include "fts.h" @@ -45,6 +45,10 @@ #include "syscheck-sqlite.h" #endif +#ifdef LIBGEOIP_ENABLED +#include +#endif + /** Prototypes **/ void OS_ReadMSG(int m_queue); RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node); @@ -81,6 +85,10 @@ static int hourly_events; static int hourly_syscheck; static int hourly_firewall; +#ifdef LIBGEOIP_ENABLED + MMDB_s geoipdb; +#endif + /* Print help statement */ __attribute__((noreturn)) @@ -132,11 +140,6 @@ int main_analysisd(int argc, char **argv) hourly_syscheck = 0; hourly_firewall = 0; -#ifdef LIBGEOIP_ENABLED - geoipdb = NULL; -#endif - - while ((c = getopt(argc, argv, "Vtdhfu:g:D:c:")) != -1) { switch (c) { case 'V': @@ -228,14 +231,17 @@ int main_analysisd(int argc, char **argv) #ifdef LIBGEOIP_ENABLED - Config.geoip_jsonout = getDefine_Int("analysisd", "geoip_jsonout", 0, 1); + Config.geoip_jsonout = getDefine_Int("analysisd", "geoip_jsonout", 0, 1); /* Opening GeoIP DB */ + if(Config.geoipdb_file) { - geoipdb = GeoIP_open(Config.geoipdb_file, GEOIP_INDEX_CACHE); - if (geoipdb == NULL) - { - merror("%s: ERROR: Unable to open GeoIP database from: %s (disabling GeoIP).", ARGV0, Config.geoipdb_file); + int status = MMDB_open(Config.geoipdb_file, MMDB_MODE_MMAP, &geoipdb); + if (status != MMDB_SUCCESS) { + merror("%s: ERROR: Cannot open geoipdb: %s", __local_name, MMDB_strerror(status)); + if (status == MMDB_IO_ERROR) { + merror("%s: ERROR: IO error: %s", __local_name, strerror(errno)); + } } } #endif diff --git a/src/analysisd/analysisd.h b/src/analysisd/analysisd.h index 6586fe4b8b..71acbecd1a 100644 --- a/src/analysisd/analysisd.h +++ b/src/analysisd/analysisd.h @@ -33,6 +33,9 @@ extern OSDecoderInfo *NULL_Decoder; #define OSSEC_SERVER "ossec-server" #define MAX_DECODER_ORDER_SIZE 20 +#ifdef USE_GEOIP +int goipdb_success; +#endif #endif /* _LOGAUDIT__H */ diff --git a/src/analysisd/config.h b/src/analysisd/config.h index 8d74c756e4..cf19ddda15 100644 --- a/src/analysisd/config.h +++ b/src/analysisd/config.h @@ -13,7 +13,7 @@ #include "config/config.h" #include "config/global-config.h" #ifdef LIBGEOIP_ENABLED -#include "GeoIP.h" +#include #endif @@ -21,7 +21,7 @@ extern long int __crt_ftell; /* Global ftell pointer */ extern _Config Config; /* Global Config structure */ #ifdef LIBGEOIP_ENABLED -GeoIP *geoipdb; +MMDB_s geoipdb; #endif int GlobalConf(const char *cfgfile); diff --git a/src/analysisd/decoders/geoip.c b/src/analysisd/decoders/geoip.c index 464e4bb71f..bac2836360 100644 --- a/src/analysisd/decoders/geoip.c +++ b/src/analysisd/decoders/geoip.c @@ -21,68 +21,70 @@ #include "eventinfo.h" #include "alerts/alerts.h" #include "decoder.h" -#include "GeoIP.h" -#include "GeoIPCity.h" +#include char *GetGeoInfobyIP(char *ip_addr) { - GeoIPRecord *geoiprecord; - char *geodata = NULL; - char geobuffer[256 +1]; - - if(!geoipdb) - { - return(NULL); - } - if(!ip_addr) { return(NULL); } - - geoiprecord = GeoIP_record_by_name(geoipdb, (const char *)ip_addr); - if(geoiprecord == NULL) - { + if(!Config.geoipdb_file) { return(NULL); } - - if(geoiprecord->country_code == NULL) - { - GeoIPRecord_delete(geoiprecord); + + int gai_error, mmdb_error; + MMDB_lookup_result_s geo_result = MMDB_lookup_string(&geoipdb, ip_addr, &gai_error, &mmdb_error); + if(gai_error != 0) { + merror("%s: ERROR: error from getaddrinfo for %s: %s", __local_name, ip_addr, gai_strerror(gai_error)); return(NULL); } - if(strlen(geoiprecord->country_code) < 2) - { - GeoIPRecord_delete(geoiprecord); + if(mmdb_error != MMDB_SUCCESS) { + merror("%s: ERROR: Error from geoip: %s", __local_name, MMDB_strerror(mmdb_error)); return(NULL); } - - if(geoiprecord->region != NULL && geoiprecord->region[0] != '\0') - { - const char *regionname = NULL; - regionname = GeoIP_region_name_by_code(geoiprecord->country_code, geoiprecord->region); - if(regionname != NULL) - { - snprintf(geobuffer, 255, "%s / %s", geoiprecord->country_code, regionname); - geobuffer[255] = '\0'; - geodata = strdup(geobuffer); + MMDB_entry_data_list_s *entry_data_list = NULL; + + if(geo_result.found_entry) { + int entry_status = MMDB_get_entry_data_list(&geo_result.entry, &entry_data_list); + if(entry_status != MMDB_SUCCESS) { + merror("%s: ERROR: Error during geoip lookup: %s", __local_name, MMDB_strerror(entry_status)); + return(NULL); } - else - { - geodata = strdup(geoiprecord->country_code); + + if(entry_data_list != NULL) { + /* XXX what do? */ + /* I need country code, region */ + static char country_code[3]; + MMDB_entry_data_s entry_data; + int cc = MMDB_get_value(&geo_result.entry, &entry_data, "country", "iso_code", NULL); + if(cc != MMDB_SUCCESS) { + MMDB_free_entry_data_list(entry_data_list); + return(NULL); + } + if(!entry_data.has_data || entry_data.type != MMDB_DATA_TYPE_UTF8_STRING) { + MMDB_free_entry_data_list(entry_data_list); + return(NULL); + } + snprintf(country_code, 3, "%.2s", entry_data.utf8_string); + if(strnlen(country_code, 3) != 2) { + debug1("country_code is wrong?"); + } + + MMDB_free_entry_data_list(entry_data_list); + return(country_code); } - } - else - { - geodata = strdup(geoiprecord->country_code); + } else { + debug1("%s: DEBUG: No entry for %s", __local_name, ip_addr); + MMDB_free_entry_data_list(entry_data_list); + return(NULL); } - GeoIPRecord_delete(geoiprecord); - return(geodata); - + /* Should not get here */ + return(NULL); } #endif diff --git a/src/analysisd/testrule.c b/src/analysisd/testrule.c index c08fb48855..f5fc88b0b9 100644 --- a/src/analysisd/testrule.c +++ b/src/analysisd/testrule.c @@ -30,6 +30,9 @@ /** Internal Functions **/ void OS_ReadMSG(char *ut_str); +#ifdef LIBGEOIP_ENABLED + MMDB_s geoipdb; +#endif /* Analysisd function */ RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node); @@ -82,9 +85,11 @@ int main(int argc, char **argv) active_responses = NULL; memset(prev_month, '\0', 4); +/* #ifdef LIBGEOIP_ENABLED geoipdb = NULL; #endif +*/ while ((c = getopt(argc, argv, "VatvdhU:D:c:q")) != -1) { switch (c) { @@ -145,10 +150,12 @@ int main(int argc, char **argv) /* Opening GeoIP DB */ if(Config.geoipdb_file) { - geoipdb = GeoIP_open(Config.geoipdb_file, GEOIP_INDEX_CACHE); - if (geoipdb == NULL) - { - merror("%s: Unable to open GeoIP database from: %s (disabling GeoIP).", ARGV0, Config.geoipdb_file); + int status = MMDB_open(Config.geoipdb_file, MMDB_MODE_MMAP, &geoipdb); + if(status != MMDB_SUCCESS) { + merror("%s: ERROR: Cannot open geoipdb: %s", __local_name, MMDB_strerror(status)); + if(status == MMDB_IO_ERROR) { + merror("%s: ERROR: IO error: %s", __local_name, strerror(errno)); + } } } #endif From 6aefe0f7d827484e514473a68b6337ec5a2e4f8e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Nov 2019 08:14:40 -0500 Subject: [PATCH 02/13] Clarify an error message. --- src/analysisd/analysisd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/analysisd.c b/src/analysisd/analysisd.c index 40c002ee79..d1e49c49e6 100644 --- a/src/analysisd/analysisd.c +++ b/src/analysisd/analysisd.c @@ -240,7 +240,7 @@ int main_analysisd(int argc, char **argv) if (status != MMDB_SUCCESS) { merror("%s: ERROR: Cannot open geoipdb: %s", __local_name, MMDB_strerror(status)); if (status == MMDB_IO_ERROR) { - merror("%s: ERROR: IO error: %s", __local_name, strerror(errno)); + merror("%s: ERROR: geoip IO error: %s", __local_name, strerror(errno)); } } } From e46efeb42f1abd82135438fad9ce05099055deee Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Nov 2019 08:15:13 -0500 Subject: [PATCH 03/13] Add some debug messages. --- src/analysisd/decoders/geoip.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/analysisd/decoders/geoip.c b/src/analysisd/decoders/geoip.c index bac2836360..edbba42bb4 100644 --- a/src/analysisd/decoders/geoip.c +++ b/src/analysisd/decoders/geoip.c @@ -26,18 +26,23 @@ char *GetGeoInfobyIP(char *ip_addr) { + + //debug1("%s: DEBUG: Entered GetGeoInfobyIP", __local_name); + if(!ip_addr) { + debug1("%s: DEBUG: (geo) ip_addr is NULL"); return(NULL); } if(!Config.geoipdb_file) { + debug1("%s: DEBUG: (geo) Config.geoipdb_file (geoipdb) is null"); return(NULL); } int gai_error, mmdb_error; MMDB_lookup_result_s geo_result = MMDB_lookup_string(&geoipdb, ip_addr, &gai_error, &mmdb_error); if(gai_error != 0) { - merror("%s: ERROR: error from getaddrinfo for %s: %s", __local_name, ip_addr, gai_strerror(gai_error)); + merror("%s: ERROR: error from (geo) getaddrinfo for %s: %s", __local_name, ip_addr, gai_strerror(gai_error)); return(NULL); } @@ -71,7 +76,7 @@ char *GetGeoInfobyIP(char *ip_addr) } snprintf(country_code, 3, "%.2s", entry_data.utf8_string); if(strnlen(country_code, 3) != 2) { - debug1("country_code is wrong?"); + debug1("%s: DEBUG: (geo) country_code is wrong?", __local_name); } MMDB_free_entry_data_list(entry_data_list); From abfa54341845cbe8d21d0cb370c03fbb32a21306 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Nov 2019 08:15:44 -0500 Subject: [PATCH 04/13] Was getting double free crashes. --- src/analysisd/eventinfo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analysisd/eventinfo.c b/src/analysisd/eventinfo.c index 9cc2b62e32..9c0727852f 100644 --- a/src/analysisd/eventinfo.c +++ b/src/analysisd/eventinfo.c @@ -574,7 +574,7 @@ void Free_Eventinfo(Eventinfo *lf) } if(lf->srcgeoip) { - free(lf->srcgeoip); + //free(lf->srcgeoip); lf->srcgeoip = NULL; } @@ -583,7 +583,7 @@ void Free_Eventinfo(Eventinfo *lf) } if(lf->dstgeoip) { - free(lf->dstgeoip); + //free(lf->dstgeoip); lf->dstgeoip = NULL; } From dd957b820dd7db00cb1a457cdb50e294a96e4333 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Nov 2019 08:22:56 -0500 Subject: [PATCH 05/13] Fix debug messages by giving them variables to print. --- src/analysisd/decoders/geoip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analysisd/decoders/geoip.c b/src/analysisd/decoders/geoip.c index edbba42bb4..6107dbb78b 100644 --- a/src/analysisd/decoders/geoip.c +++ b/src/analysisd/decoders/geoip.c @@ -31,11 +31,11 @@ char *GetGeoInfobyIP(char *ip_addr) if(!ip_addr) { - debug1("%s: DEBUG: (geo) ip_addr is NULL"); + debug1("%s: DEBUG: (geo) ip_addr is NULL", __local_name); return(NULL); } if(!Config.geoipdb_file) { - debug1("%s: DEBUG: (geo) Config.geoipdb_file (geoipdb) is null"); + debug1("%s: DEBUG: (geo) Config.geoipdb_file (geoipdb) is null", __local_name); return(NULL); } From 2c984a08116e673b2b0c45f7636882556d67c771 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Nov 2019 08:53:11 -0500 Subject: [PATCH 06/13] Install the libmaxminddb-dev package. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8fdea12a59..cfe4531b5e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -44,7 +44,7 @@ before_script: - sudo apt-get install -y libevent-dev - ( wget https://ftp.pcre.org/pub/pcre/pcre2-10.32.tar.gz && tar xzf pcre2-10.32.tar.gz -C src/external ) -- if [[ "${GEOIP}" == "yes" ]]; then ( sudo apt-get install geoip-bin geoip-database libgeoip-dev libgeoip1 ); fi +- if [[ "${GEOIP}" == "yes" ]]; then ( sudo apt-get install libmaxminddb-dev libmaxminddb0 ); fi - if [[ "${PRELUDE}" == "yes" ]]; then ( sudo apt-get install libprelude-dev ); fi - if [[ "${ZEROMQ}" == "yes" ]]; then ( sudo apt-get install libzmq3-dev libtool autoconf libczmq-dev ); fi - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi From 4dedecaa9917c467fb36a8bcf0501bc5f284e8c5 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Nov 2019 09:09:53 -0500 Subject: [PATCH 07/13] Temporary work around for finding maxminddb.h. I'll need to figure out a better way to find it before actually creating a PR for this. --- src/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Makefile b/src/Makefile index 39ea05148e..4f468eee35 100644 --- a/src/Makefile +++ b/src/Makefile @@ -237,6 +237,7 @@ endif # USE_ZEROMQ ifneq (,$(filter ${USE_GEOIP},auto yes y Y 1)) DEFINES+=-DLIBGEOIP_ENABLED OSSEC_LDFLAGS+=-lmaxminddb + OSSEC_CFLAGS+=-I/usr/include/x86_64-linux-gnu endif # USE_GEOIP ifneq (,$(filter ${USE_SQLITE},auto yes y Y 1)) From 5416500ede695a4bd5db3ce36dc033ea7e12d6a4 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 20 Dec 2019 07:32:28 -0500 Subject: [PATCH 08/13] Add some more information to an error message. --- src/analysisd/decoders/syscheck.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index a6d675892a..3facbb15bb 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -287,7 +287,7 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) /* Get name */ saved_name = strchr(sdb.buf, ' '); if (saved_name == NULL) { - merror("%s: Invalid integrity message in the database.", ARGV0); + merror("%s: Invalid integrity message in the database. (agentid: %d, sdb.buf: %s", ARGV0, agent_id, sdb.buf); fgetpos(fp, &sdb.init_pos); /* Get next location */ continue; } From 1172cada9837943d3e273c6b177d231165513325 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 20 Dec 2019 07:32:55 -0500 Subject: [PATCH 09/13] Add a debug message. --- src/os_net/os_net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/os_net/os_net.c b/src/os_net/os_net.c index f18e3be774..dfe0f111ea 100644 --- a/src/os_net/os_net.c +++ b/src/os_net/os_net.c @@ -601,6 +601,7 @@ int OS_SendUnix(int socket, const char *msg, int size) if (errno == ENOBUFS) { return (OS_SOCKBUSY); } + debug1("DEBUG: OS_SendUnix errno: %d: %s", errno, strerror(errno)); return (OS_SOCKTERR); } From 7706e741c5c72abc84d2fdcdc26b34e18eeefe5b Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 13 Jan 2020 07:26:44 -0500 Subject: [PATCH 10/13] goto for the cleanup stuff. --- src/analysisd/decoders/geoip.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/analysisd/decoders/geoip.c b/src/analysisd/decoders/geoip.c index bac2836360..fb17eb3eb6 100644 --- a/src/analysisd/decoders/geoip.c +++ b/src/analysisd/decoders/geoip.c @@ -62,12 +62,10 @@ char *GetGeoInfobyIP(char *ip_addr) MMDB_entry_data_s entry_data; int cc = MMDB_get_value(&geo_result.entry, &entry_data, "country", "iso_code", NULL); if(cc != MMDB_SUCCESS) { - MMDB_free_entry_data_list(entry_data_list); - return(NULL); + goto cleanup; } if(!entry_data.has_data || entry_data.type != MMDB_DATA_TYPE_UTF8_STRING) { - MMDB_free_entry_data_list(entry_data_list); - return(NULL); + goto cleanup; } snprintf(country_code, 3, "%.2s", entry_data.utf8_string); if(strnlen(country_code, 3) != 2) { @@ -79,11 +77,15 @@ char *GetGeoInfobyIP(char *ip_addr) } } else { debug1("%s: DEBUG: No entry for %s", __local_name, ip_addr); - MMDB_free_entry_data_list(entry_data_list); - return(NULL); + goto cleanup; } /* Should not get here */ + MMDB_free_entry_data_list(entry_data_list); + return(NULL); + +cleanup: + MMDB_free_entry_data_list(entry_data_list); return(NULL); } From efe228f30d3c6f7c6caa8e0d75c1d51e7b7c7736 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 21 Jan 2020 08:14:48 -0500 Subject: [PATCH 11/13] Add a changelog.md to try and track changes a bit better. --- changelog.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 changelog.md diff --git a/changelog.md b/changelog.md new file mode 100644 index 0000000000..b7708b40e5 --- /dev/null +++ b/changelog.md @@ -0,0 +1,22 @@ +# 3.6.0 + +## Breaking changes + +### empty pcre2 options raise an error + +Previously empty `pcre2` options could be used: +`` + +This has been changed to raise an error. +Now there must be a value for these options: +`.*` + +### maxminddb + +geoip support has been replaced with [libmaxminddb](https://github.com/maxmind/libmaxminddb) +The maxminddb development package should be installed to enable geoip support. +The `geoipdb` configuration option has been re-used for the new database. +Testing has only been done with the `GeoLite2-Country.mmdb` database, and currently the country +`iso_code` is the only output. + + From 334a14b5268eeee9eaaf58422ae7e3cc7706729a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 4 Jan 2022 10:36:27 -0500 Subject: [PATCH 12/13] Get rid of some old geoip 1 stuff. --- src/analysisd/analysisd.c | 4 ---- src/analysisd/makelists.c | 4 ---- src/analysisd/testrule.c | 7 ------- 3 files changed, 15 deletions(-) diff --git a/src/analysisd/analysisd.c b/src/analysisd/analysisd.c index c9aa16582f..588fafc0fd 100644 --- a/src/analysisd/analysisd.c +++ b/src/analysisd/analysisd.c @@ -46,10 +46,6 @@ sqlite3 *conn; #endif -#ifdef LIBGEOIP_ENABLED -GeoIP *geoipdb; -#endif - #ifdef LIBGEOIP_ENABLED #include #endif diff --git a/src/analysisd/makelists.c b/src/analysisd/makelists.c index dfbe6a4a31..06c90db709 100644 --- a/src/analysisd/makelists.c +++ b/src/analysisd/makelists.c @@ -32,10 +32,6 @@ time_t c_time; char __shost[512]; OSDecoderInfo *NULL_Decoder; -#ifdef LIBGEOIP_ENABLED -GeoIP *geoipdb; -#endif - /* print help statement */ __attribute__((noreturn)) static void help_makelists(void) diff --git a/src/analysisd/testrule.c b/src/analysisd/testrule.c index 619835cfe0..3bd6062bda 100644 --- a/src/analysisd/testrule.c +++ b/src/analysisd/testrule.c @@ -85,13 +85,6 @@ int main(int argc, char **argv) active_responses = NULL; memset(prev_month, '\0', 4); -/* -#ifdef LIBGEOIP_ENABLED - extern GeoIP *geoipdb; - geoipdb = NULL; -#endif -*/ - while ((c = getopt(argc, argv, "VatvdhU:D:c:q")) != -1) { switch (c) { case 'V': From 346068278400044d7deb5c08abdf2e9c5baad337 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 4 Jan 2022 10:41:18 -0500 Subject: [PATCH 13/13] Fixup the geoip stuff. --- src/analysisd/decoders/geoip.c | 1 + src/analysisd/testrule.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/analysisd/decoders/geoip.c b/src/analysisd/decoders/geoip.c index 23cb328f2f..f8016a7bc2 100644 --- a/src/analysisd/decoders/geoip.c +++ b/src/analysisd/decoders/geoip.c @@ -27,6 +27,7 @@ char *GetGeoInfobyIP(char *ip_addr) { //debug1("%s: DEBUG: Entered GetGeoInfobyIP", __local_name); + MMDB_s geoipdb; if(!ip_addr) { diff --git a/src/analysisd/testrule.c b/src/analysisd/testrule.c index 3bd6062bda..d8cb73dbc8 100644 --- a/src/analysisd/testrule.c +++ b/src/analysisd/testrule.c @@ -31,7 +31,7 @@ /** Internal Functions **/ void OS_ReadMSG(char *ut_str); #ifdef LIBGEOIP_ENABLED - MMDB_s geoipdb; + extern MMDB_s geoipdb; #endif /* Analysisd function */