[Bro] GEOIP
Jim Bo
jimbo.redneck at gmail.com
Thu Sep 11 09:23:31 PDT 2008
Thanks for the reply. I have played around with the script but I keep
getting the following error:
/usr/local/bro/policy/http-entity.bro, line 9: error: unknown
identifier lookup_http_request_stream, at or near
"lookup_http_request_stream"
On Thu, Sep 11, 2008 at 9:26 AM, Seth Hall <hall.692 at osu.edu> wrote:
>
> On Sep 11, 2008, at 8:50 AM, Jim Bo wrote:
>
>> Does anyone have a GeoIP example that will check all http/https
>> connections and log attempts from non XX countries?
>
> Checking https connections doesn't make much sense because there are no
> distinguishing features from any other SSL encrypted session other than
> maybe the port number, but that's not very definitive. You could watch for
> SSL sessions in general (using DPD) to sort of catch https sessions.
>
> For http, I attached a script I just wrote to do what you want. It takes a
> list of country codes as a configuration option and will log all requests
> that aren't going to or coming from one of your defined countries. I
> haven't tested the code at all (I think it should work), but it should give
> you a general idea of how to do this.
>
> Another concern I have about this script is that I'm not completely sure how
> well the geoip library can handle extremely high levels of queries against.
> I've heard in certain circumstances that if you do too many lookups in Bro
> (many, many thousands per second) it will begin to return incorrect data.
> So, if you start using this, keep an eye on the data you're getting and
> make sure it's what you expect.
>
> .Seth
>
>
>
>
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
>
>
>
More information about the Bro
mailing list