[Bro] issue with geoip lookups

Nicholas Weaver nweaver at ICSI.Berkeley.EDU
Fri Oct 5 08:05:21 PDT 2007


The test:
nweaver at alpo:~/geoip/GeoIP-1.4.3/apps> ./geoiplookup 63.22.236.1
GeoIP City Edition, Rev 1: US, MA, Westford, 01886, 42.588799, -71.441597, 506, 978
GeoIP City Edition, Rev 0: US, MA, Westford, 01886, 42.588799, -71.441597

nweaver at alpo:~/geoip/GeoIP-1.4.3/apps> ./geoiplookup 1.236.22.63
GeoIP City Edition, Rev 1: IP Address not found
GeoIP City Edition, Rev 0: IP Address not found
nweaver at alpo:~/geoip/GeoIP-1.4.3/apps> 

Manually confirmed 63.22.236.1 is in the boston area by traceroute
(last hop before failure is ar2.bos24.alter.net, and there is a huge
hop in latency of 85ms between sjc*.alter.net and bos*.alter.net


Using my geo-alert google-map policy, it IS the opposite:
1.236.22.63 is the one resolved.

A change in bro.bif
<               gir = GeoIP_record_by_ipnum(geoip, addr);
---
>               gir = GeoIP_record_by_ipnum(geoip, ntohl(addr));

and it works right, thanks Vern.

The GeoIP library's internal form is
a.b.c.d -> a << 24 + b << 16 + c << 8 + d << 0

So standard host order, while Bro keeps while bro's AddrVal type is
network order.

-- 
Nicholas C. Weaver                               nweaver at icsi.berkeley.edu
     This message has been ROT-13 encrypted twice for higher security.



More information about the Bro mailing list