[Bro] issue with geoip lookups
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Fri Oct 5 08:05:21 PDT 2007
The test:
nweaver at alpo:~/geoip/GeoIP-1.4.3/apps> ./geoiplookup 63.22.236.1
GeoIP City Edition, Rev 1: US, MA, Westford, 01886, 42.588799, -71.441597, 506, 978
GeoIP City Edition, Rev 0: US, MA, Westford, 01886, 42.588799, -71.441597
nweaver at alpo:~/geoip/GeoIP-1.4.3/apps> ./geoiplookup 1.236.22.63
GeoIP City Edition, Rev 1: IP Address not found
GeoIP City Edition, Rev 0: IP Address not found
nweaver at alpo:~/geoip/GeoIP-1.4.3/apps>
Manually confirmed 63.22.236.1 is in the boston area by traceroute
(last hop before failure is ar2.bos24.alter.net, and there is a huge
hop in latency of 85ms between sjc*.alter.net and bos*.alter.net
Using my geo-alert google-map policy, it IS the opposite:
1.236.22.63 is the one resolved.
A change in bro.bif
< gir = GeoIP_record_by_ipnum(geoip, addr);
---
> gir = GeoIP_record_by_ipnum(geoip, ntohl(addr));
and it works right, thanks Vern.
The GeoIP library's internal form is
a.b.c.d -> a << 24 + b << 16 + c << 8 + d << 0
So standard host order, while Bro keeps while bro's AddrVal type is
network order.
--
Nicholas C. Weaver nweaver at icsi.berkeley.edu
This message has been ROT-13 encrypted twice for higher security.
More information about the Bro
mailing list