Seth Hall hall.692 at osu.edu
Thu Sep 11 06:26:57 PDT 2008

On Sep 11, 2008, at 8:50 AM, Jim Bo wrote:

> Does anyone have a GeoIP example that will check all http/https
> connections and log attempts from non XX countries?

Checking https connections doesn't make much sense because there are  
no distinguishing features from any other SSL encrypted session other  
than maybe the port number, but that's not very definitive.  You could  
watch for SSL sessions in general (using DPD) to sort of catch https  

For http, I attached a script I just wrote to do what you want.  It  
takes a list of country codes as a configuration option and will log  
all requests  that aren't going to or coming from one of your defined  
countries.  I haven't tested the code at all (I think it should work),  
but it should give you a general idea of how to do this.

Another concern I have about this script is that I'm not completely  
sure how well the geoip library can handle extremely high levels of  
queries against.  I've heard in certain circumstances that if you do  
too many lookups in Bro (many, many thousands per second) it will  
begin to return incorrect data.  So, if you start using this, keep an  
eye on the data you're getting and make sure it's what you expect.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-geo-logging.bro
Type: application/octet-stream
Size: 856 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080911/bc9a2cd9/attachment.obj 
-------------- next part --------------

Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list