GEOIP

Does anyone have a GeoIP example that will check all http/https
connections and log attempts from non XX countries?

Thanks,
Jimbo

Checking https connections doesn't make much sense because there are no distinguishing features from any other SSL encrypted session other than maybe the port number, but that's not very definitive. You could watch for SSL sessions in general (using DPD) to sort of catch https sessions.

For http, I attached a script I just wrote to do what you want. It takes a list of country codes as a configuration option and will log all requests that aren't going to or coming from one of your defined countries. I haven't tested the code at all (I think it should work), but it should give you a general idea of how to do this.

Another concern I have about this script is that I'm not completely sure how well the geoip library can handle extremely high levels of queries against. I've heard in certain circumstances that if you do too many lookups in Bro (many, many thousands per second) it will begin to return incorrect data. So, if you start using this, keep an eye on the data you're getting and make sure it's what you expect.

   .Seth

http-geo-logging.bro (856 Bytes)

Thanks for the reply. I have played around with the script but I keep
getting the following error:

/usr/local/bro/policy/http-entity.bro, line 9: error: unknown
identifier lookup_http_request_stream, at or near
"lookup_http_request_stream"

Fixed version. I had several bugs :slight_smile:

http-geo-logging.bro (915 Bytes)

Is there a way to extract the incoming IP addresses on ports 80 and
443 and run the IP addresses through GeoIP.

That's more or less what the script does that I sent to the list. (except for port 443). I guess I just don't know what end result you're looking to get.

Also is there any sort of
documentation or even books that I can look at / buy that would help
me with this type of stuff so that I dont have to keep bothering you.

The best current documentation is in the slides and related exercises from Bro workshop that took place last summer.
     http://bro-ids.org/wiki/index.php/WorkshopMaterial

A *little* bit of documentation about the libGeoIP support can be found here:
     http://bro-ids.org/wiki/index.php/GeoLocation

There is also a lot of good material to be found in the manuals:
     http://bro-ids.org/wiki/index.php/User_Manual
     http://bro-ids.org/wiki/index.php/Reference_Manual

Hopefully that helps. Feel free to keep asking questions though.

   .Seth