-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconn-add-geo.zeek
47 lines (40 loc) · 1.53 KB
/
conn-add-geo.zeek
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
##! Add GEO data for the originator and responder of a connection
##! to the connection logs.
# Based on https://github.com/zeek/bro-scripts/blob/master/conn-add-geodata.bro by Seth Hall
module Conn;
export {
redef record Conn::Info += {
## Geodata for the originator of the connection based on a GeoIP lookup.
orig_geo_lon: double &optional &log;
orig_geo_lat: double &optional &log;
orig_geo_cc: string &optional &log;
## Geodata for the responder of the connection based on a GeoIP lookup.
resp_geo_lon: double &optional &log;
resp_geo_lat: double &optional &log;
resp_geo_cc: string &optional &log;
};
}
# For geodata to work, local_nets have to be defined for the site.
# Only non-local IPs are enriched with geodata
event connection_state_remove(c: connection) {
if (|Site::local_nets| > 0) {
if (c$id?$orig_h && ! Site::is_local_addr(c$id$orig_h)) {
local orig_loc = lookup_location(c$id$orig_h);
if ( orig_loc?$longitude )
c$conn$orig_geo_lon = orig_loc$longitude;
if ( orig_loc?$latitude )
c$conn$orig_geo_lat = orig_loc$latitude;
if ( orig_loc?$country_code )
c$conn$orig_geo_cc = orig_loc$country_code;
}
if (c$id?$resp_h && ! Site::is_local_addr(c$id$resp_h)) {
local resp_loc = lookup_location(c$id$resp_h);
if ( resp_loc?$longitude )
c$conn$resp_geo_lon = resp_loc$longitude;
if ( resp_loc?$latitude )
c$conn$resp_geo_lat = resp_loc$latitude;
if ( resp_loc?$country_code )
c$conn$resp_geo_cc = resp_loc$country_code;
}
}
}