I’m using the GeoIP lookup functionality in 1.3 and everything looks to be working fine, except that all the addresses are getting looked up “backwards”. For example, if Bro looks up the address 64.236.22.63, I will get a log entry
On Fri, Oct 05, 2007 at 08:38:01AM -0400, Stephen Smith composed:
I'm using the GeoIP lookup functionality in 1.3 and everything looks to be
working fine, except that all the addresses are getting looked up
"backwards". For example, if Bro looks up the address 64.236.22.63, I will
get a log entry
Connection to: 64.236.22.63 (Westford, MA, US)
which does not match with the output of a manual lookup with geoiplookup.
However if I run 63.22.236.64 through geoiplookup, I get
GeoIP City Edition, Rev 0: US, MA, Westford
I have confirmed this with several different IPs. I'm running Bro 1.3.2 on
FreeBSD 6.2 with the ports install of GeoIP 1.4.3. Any suggestions?
This is just simply a print order, (City, region, country) rather than
(country, region, city), I believe. What is the function you are
using to print out the location?
> "backwards". For example, if Bro looks up the address 64.236.22.63, I will
> get a log entry
>
> Connection to: 64.236.22.63 (Westford, MA, US)
>
> which does not match with the output of a manual lookup with geoiplookup.
>
> However if I run 63.22.236.64 through geoiplookup, I get
>
> GeoIP City Edition, Rev 0: US, MA, Westford
>
> I have confirmed this with several different IPs. I'm running Bro 1.3.2 on
> FreeBSD 6.2 with the ports install of GeoIP 1.4.3. Any suggestions?
This is just simply a print order, (City, region, country) rather than
(country, region, city), I believe.
I believe he's referring to 64.236.22.63 instead returning information
for 63.22.236.64 - which looks a lot like a missing ntohl().
On Fri, Oct 05, 2007 at 07:20:48AM -0700, Nicholas Weaver composed:
On Fri, Oct 05, 2007 at 07:19:00AM -0700, Vern Paxson composed:
> > This is just simply a print order, (City, region, country) rather than
> > (country, region, city), I believe.
>
> I believe he's referring to 64.236.22.63 instead returning information
> for 63.22.236.64 - which looks a lot like a missing ntohl().
Ah, yeah. (Didn't notice that).
What is the function you are using to print the IP?
Runnning a test now. Sorry for the confusion on my part.
The test:
nweaver@alpo:~/geoip/GeoIP-1.4.3/apps> ./geoiplookup 63.22.236.1
GeoIP City Edition, Rev 1: US, MA, Westford, 01886, 42.588799, -71.441597, 506, 978
GeoIP City Edition, Rev 0: US, MA, Westford, 01886, 42.588799, -71.441597
nweaver@alpo:~/geoip/GeoIP-1.4.3/apps> ./geoiplookup 1.236.22.63
GeoIP City Edition, Rev 1: IP Address not found
GeoIP City Edition, Rev 0: IP Address not found
nweaver@alpo:~/geoip/GeoIP-1.4.3/apps>
Manually confirmed 63.22.236.1 is in the boston area by traceroute
(last hop before failure is ar2.bos24.alter.net, and there is a huge
hop in latency of 85ms between sjc*.alter.net and bos*.alter.net
Using my geo-alert google-map policy, it IS the opposite:
1.236.22.63 is the one resolved.
A change in bro.bif
< gir = GeoIP_record_by_ipnum(geoip, addr);