GEOIP

Jim_Bo · September 11, 2008, 12:50pm

Does anyone have a GeoIP example that will check all http/https
connections and log attempts from non XX countries?

Thanks,
Jimbo

Seth_Hall · September 11, 2008, 1:26pm

Checking https connections doesn't make much sense because there are no distinguishing features from any other SSL encrypted session other than maybe the port number, but that's not very definitive. You could watch for SSL sessions in general (using DPD) to sort of catch https sessions.

For http, I attached a script I just wrote to do what you want. It takes a list of country codes as a configuration option and will log all requests that aren't going to or coming from one of your defined countries. I haven't tested the code at all (I think it should work), but it should give you a general idea of how to do this.

Another concern I have about this script is that I'm not completely sure how well the geoip library can handle extremely high levels of queries against. I've heard in certain circumstances that if you do too many lookups in Bro (many, many thousands per second) it will begin to return incorrect data. So, if you start using this, keep an eye on the data you're getting and make sure it's what you expect.

.Seth

http-geo-logging.bro (856 Bytes)

Jim_Bo · September 11, 2008, 4:23pm

Thanks for the reply. I have played around with the script but I keep
getting the following error:

/usr/local/bro/policy/http-entity.bro, line 9: error: unknown
identifier lookup_http_request_stream, at or near
"lookup_http_request_stream"

Seth_Hall · September 11, 2008, 4:35pm

Fixed version. I had several bugs

http-geo-logging.bro (915 Bytes)

Seth_Hall · September 12, 2008, 12:44pm

Is there a way to extract the incoming IP addresses on ports 80 and
443 and run the IP addresses through GeoIP.

That's more or less what the script does that I sent to the list. (except for port 443). I guess I just don't know what end result you're looking to get.

Also is there any sort of
documentation or even books that I can look at / buy that would help
me with this type of stuff so that I dont have to keep bothering you.

The best current documentation is in the slides and related exercises from Bro workshop that took place last summer.
http://bro-ids.org/wiki/index.php/WorkshopMaterial

A *little* bit of documentation about the libGeoIP support can be found here:
http://bro-ids.org/wiki/index.php/GeoLocation

There is also a lot of good material to be found in the manuals:
http://bro-ids.org/wiki/index.php/User_Manual
http://bro-ids.org/wiki/index.php/Reference_Manual

Hopefully that helps. Feel free to keep asking questions though.

.Seth

Topic		Replies	Views
issue with geoip lookups Zeek	9	88	May 6, 2022
Something is not clear to me concerning reporting Zeek	7	52	May 6, 2022
Capturing the SSL cert via HTTP Connect Method Zeek	4	94	May 6, 2022
can't get the http analyzer to print anything Zeek	3	60	May 6, 2022
"Faking" connections and http records Zeek	4	44	May 6, 2022

GEOIP

Related Topics