geoip-conn - Add geolocation fields to
If you have Zeek compiled with
this package will add a nested record called
geo to the
conn log that
conains fields for each originating and responding IP that describe:
- Country code
A GeoLite2 geolocation database is included with the package for out-of-the-box functionality.
This package includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
This package was inspired by an old Zeek script conn-add-geodata.bro which unfortunately lacks author or license information. Before creating this package, a thread on public Zeek Slack was initiated in an attempt to hunt down the author, but no definitive answer was found. This package goes further by being delivered as a Zeek package and by adding fields for more than just country info.
About the included GeoLite2 database
Per the MaxMind FAQ, the free GeoLite2 database is less accurate than the paid GeoIP2 version. While the author of this package has not attempted it, the FAQ indicates that the paid version should work as a "drop-in replacement".
The MaxMind FAQ also indicates the database is updated weekly, every Tuesday. All attempts will be made to keep the database verison in this repo current. However, if you're concerned about accuracy, you may want to create your own MaxMind login and keep your local copy up to date.
If you delete the database file
GeoLite2-City.mmdb that comes with this
package, Zeek will fall back to looking for a database in