Zeek - Adding GeoIP to 'conn.log'
Since I’m a fan of seeing things, why not identify where the network connections are coming from. In the previous post, I talked about one of the strengths of Zeek which is the availability of packages. Precisely in the case that interests us, we will use the one named “geoip-conn”.
One of the best ways to install a package if not the best is to use the binary called “zkg” and provided with “Zeek”.
Note: I had to install two “Python” packages to make it working. Here’s the way to do it with “OpenBSD”.
$ doas pkg_add py3-semantic_version
$ doas pkg_add py3-GitPython
Once zkg is working, let’s use it.
$ zkg install geoip-conn
The following packages will be INSTALLED:
zeek/brimsec/geoip-conn (master)
Proceed? [Y/n] y
Installing "zeek/brimsec/geoip-conn"..............
Installed "zeek/brimsec/geoip-conn" (master)
Loaded "zeek/brimsec/geoip-conn"
“geoip-conn” being installed, let’s see what features it offers us. Let’s check this by performing a simple query.
$ wget amazon.ca
Let’s check the presence of this one in the “http.log” file.
$ grep amazon http.log
1662498988000.561481 CI1YUq1RjPi0dRtF5f 162.212.157.188 13994 52.94.225.242 80 1 GET amazon.ca / - 1.1 Wget/1.21.3 - 0 163 301 Moved Permanently - - (empty) - - - - - - FAtLMn2fTyT1NqmdVc - text/html - -
Let’s take the identifier CI1YUq1RjPi0dRtF5f corresponding to the connection then look for a match in the “conn.log” file.
$ grep CI1YUq1RjPi0dRtF5f conn.log
1662498988000.536651 CI1YUq1RjPi0dRtF5f 162.212.157.188 13994 52.94.225.242 80 tcp http 0.233515 124 350 SF TF 0 ShADdFf 6 388 4 522 - US - - 37.751 -97.822 US VA Ashburn 39.0469 -77.4903
We have the information you want:
Country: US
State: VA
City: Ashburn
Regards