[Bro] GEOIP
Seth Hall
hall.692 at osu.edu
Thu Sep 11 06:26:57 PDT 2008
On Sep 11, 2008, at 8:50 AM, Jim Bo wrote:
> Does anyone have a GeoIP example that will check all http/https
> connections and log attempts from non XX countries?
Checking https connections doesn't make much sense because there are
no distinguishing features from any other SSL encrypted session other
than maybe the port number, but that's not very definitive. You could
watch for SSL sessions in general (using DPD) to sort of catch https
sessions.
For http, I attached a script I just wrote to do what you want. It
takes a list of country codes as a configuration option and will log
all requests that aren't going to or coming from one of your defined
countries. I haven't tested the code at all (I think it should work),
but it should give you a general idea of how to do this.
Another concern I have about this script is that I'm not completely
sure how well the geoip library can handle extremely high levels of
queries against. I've heard in certain circumstances that if you do
too many lookups in Bro (many, many thousands per second) it will
begin to return incorrect data. So, if you start using this, keep an
eye on the data you're getting and make sure it's what you expect.
.Seth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-geo-logging.bro
Type: application/octet-stream
Size: 856 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080911/bc9a2cd9/attachment.obj
-------------- next part --------------
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list