Maxmind based Geo-location and ra* programs

Carter Bullard carter at qosient.com
Tue Apr 14 19:56:46 EDT 2009 

Gentle people,
All ra* programs support printing country codes, but there is much  
more to geo-location.

I am integrating the use of the MaxMind's LGPL based GeoIP library  
into argus
client's Geo location technology.  I need to get Origin AS numbers  
into the argus
records for my work, and so this seemed to be a way to go.

Currently, ralabel() and radium() can use MaxMind's GeoIPASNum.dat file
to provide Origin AS numbers for IP addresses, and later this week I  
should
get the City, State, Country, Zip Codes, along with lat/long data  
integrated.

The Origin AS number support looks pretty good:
       StartTime  Proto       SrcAddr  Dir          DstAddr      Dport  
SPkts  DPkts SBytes DBytes          Label
19:25:27.014924    esp 207.237.36.98   ->    
134.207.19.130.0x072ed6f2     2      0    252      0  AS6079:AS5058

For the city data, its not perfect, but its pretty good data for  
free ;o).  Here is what one
of the GeoIP test programs returns as a test:

24.24.24.24 US NY  New York   Jamaica      11434  40.676300   
-73.775200  501  718  America/New_York  24.24.16.0
80.24.24.24 ES 56  Catalonia  Seo De Urgel   N/A  42.349998     
1.466700    0    0  Europe/Madrid     80.24.24.0


So, good country code, state?, but some of it is interesting, as they  
don't have "Spain"
anywhere in the output, so could be a bit better?  I have to work on  
what the formats of the data
will be in the argus label fields.

You get the support by compiling the Maxmind C-library API code on  
your machine,
then with the client's ./configure you specify where the GeoIP  
distribution is.

    ./configure --with-GeoIP=yes

All the rest is pretty straight forward, but I haven't tested it,  
except to see if it works at all.

Currently the data comes out as labels, so its just ascii text in the  
argus record.  I'll
be working on more specific DSR's for geolocation in the next set of  
months, so any
dialog as to what you guys would like to get out of the Maxmind.com's  
GeoIP library,
that would be very helpful.

Take a look at their links, for additional information:

    http://www.maxmind.com/app/geolitecity

I'll have this support in the next beta release, but if everyone is  
happy with the stability
of the code set, I'll release it as argus-clients-3.0.2 very soon.

Carter



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090414/06920881/attachment.html>

More information about the argus mailing list