All alerts showing as unk country code.. help
-
Hello!
Sorry to keep bugging you...
It looks like pfb is just renaming the download from maxmind to ,mmdb without actually extracting the files.
The GeoLite2-Country.mmdb file is 2048734 bytes, which is the same length as the GeoLite2-Country_20200303.tar.gz download from maxmind.
cp GeoLite2-Country.mmdb GeoLite2-Country.tar.gz
and then
gzip -l ./GeoLite2-Country.tar.gz
shows that the mmdb file was really a tar.gz fileI think....
John
-
Hello!
Just more guessing...I am not sure I am looking at the correct code...
The download from maxmind is 'application/gzip'
The code doesnt look like it will decompress this type, and will only rename the downloaded file.
Maybe
if ($file_type == 'application/x-gzip' || $file_type == 'application/gzip' )
?
John
-
@BBcan177 I am still seeing this as of today on pfSense 2.4.5-RELEASE and pfBlockerNG-devel 2.2.5_30. Restarting the pfb_filter service didnt seem to fix it.
-
If "191.232.138.2" isn't present in any of your GeoIP files, then the "unknown" is understandable.
While waiting for a reply from BBcan177, have a look at the files and check if this is true ?
-
@ex1580
Yes there was a change to the file mime-types in pfSense 2.4.5 and the change to fix Shallalist and UT1 is also needed to download one of the MaxMind databases.Install the latest version of the package and re-download MaxMind from the shell with this command:
php -f /usr/local/www/pfblockerng/pfblockerng.php dcNew events should show the GeoIP column in the alerts tab.
-
@BBcan177 Excellent! Working as expected now. Maybe someday there can be a button or comment explaining how to re-download from MaxMind because I didnt even know the command did that when I was looking at it. Thanks! Keep up the good work!
