base/frameworks/notice/actions/add-geodata.zeek

Notice

This script adds geographic location data to notices for the “remote” host in a connection. It does make the assumption that one of the addresses in a connection is “local” and one is “remote” which is probably a safe assumption to make in most cases. If both addresses are remote, it will use the $src address.

Namespace

Notice

Imports

base/frameworks/notice, base/frameworks/notice/main.zeek, base/utils/site.zeek

Summary

Runtime Options

Notice::lookup_location_types: set &redef

Notice types which should have the “remote” location looked up.

Redefinitions

Notice::Action: enum

Notice::Info: record

New Fields

Notice::Info

remote_location: geo_location &log &optional

If GeoIP support is built in, notices can have geographic information attached to them.

Detailed Interface

Runtime Options

Notice::lookup_location_types
Type

set [Notice::Type]

Attributes

&redef

Default

{}

Notice types which should have the “remote” location looked up. If GeoIP support is not built in, this does nothing.