The initial Geolocation supported added in https://github.com/brimsec/brim/pull/932 populates Zeek conn records with persistent data at the moment when pcaps are being made into Zeek logs. While useful, this doesn't cover some other Geolocation use cases. These include:
Imported logs (not generated from pcaps) that lack Geolocation data, but that do contain IP address fields for which the user might want to know Geolocation info.
Logs that may have already been populated with Geolocation data based an older/different database, and the user wants Geolocation data for the IP addresses in those logs, but based on a current database.
Since the GeoLite2 database is now bundled with Brim (due to the use of the geoip-conn Zeek package), it should be possible for the Brim app to do these kinds of lookups on-demand, such as by using a JavaScript library (like maxmind) to query that database. If we implement a map visualization such as described in #936, this could perhaps take the form of a right-click/button operation that effectively looks up Geolocation data for all ip-type field values in a selected record and plots them all on the map.
philrz
commented
2 years ago
The initial Geolocation supported added in https://github.com/brimsec/brim/pull/932 populates Zeek
connrecords with persistent data at the moment when pcaps are being made into Zeek logs. While useful, this doesn't cover some other Geolocation use cases. These include:Imported logs (not generated from pcaps) that lack Geolocation data, but that do contain IP address fields for which the user might want to know Geolocation info.
Logs that may have already been populated with Geolocation data based an older/different database, and the user wants Geolocation data for the IP addresses in those logs, but based on a current database.
Since the GeoLite2 database is now bundled with Brim (due to the use of the geoip-conn Zeek package), it should be possible for the Brim app to do these kinds of lookups on-demand, such as by using a JavaScript library (like maxmind) to query that database. If we implement a map visualization such as described in #936, this could perhaps take the form of a right-click/button operation that effectively looks up Geolocation data for all
ip-type field values in a selected record and plots them all on the map.