Jim Bo jimbo.redneck at gmail.com
Thu Sep 11 09:23:31 PDT 2008

Thanks for the reply. I have played around with the script but I keep
getting the following error:

/usr/local/bro/policy/http-entity.bro, line 9: error: unknown
identifier lookup_http_request_stream, at or near

On Thu, Sep 11, 2008 at 9:26 AM, Seth Hall <hall.692 at osu.edu> wrote:
> On Sep 11, 2008, at 8:50 AM, Jim Bo wrote:
>> Does anyone have a GeoIP example that will check all http/https
>> connections and log attempts from non XX countries?
> Checking https connections doesn't make much sense because there are no
> distinguishing features from any other SSL encrypted session other than
> maybe the port number, but that's not very definitive.  You could watch for
> SSL sessions in general (using DPD) to sort of catch https sessions.
> For http, I attached a script I just wrote to do what you want.  It takes a
> list of country codes as a configuration option and will log all requests
>  that aren't going to or coming from one of your defined countries.  I
> haven't tested the code at all (I think it should work), but it should give
> you a general idea of how to do this.
> Another concern I have about this script is that I'm not completely sure how
> well the geoip library can handle extremely high levels of queries against.
>  I've heard in certain circumstances that if you do too many lookups in Bro
> (many, many thousands per second) it will begin to return incorrect data.
>  So, if you start using this, keep an eye on the data you're getting and
> make sure it's what you expect.
>  .Seth
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721

More information about the Bro mailing list