This script adds geographic location data to notices for the “remote” host in a connection. It does make the assumption that one of the addresses in a connection is “local” and one is “remote” which is probably a safe assumption to make in most cases. If both addresses are remote, it will use the $src address.
base/frameworks/notice, base/frameworks/notice/main.zeek, base/utils/site.zeek
Notice types which should have the “remote” location looked up.
Notice types which should have the “remote” location looked up. If GeoIP support is not built in, this does nothing.