BASE / Feature Requests / #52 graphs: country code breakdown

#52 graphs: country code breakdown

Milestone: 2.0x

Status: closed

Owner: nobody

Labels: Reporting (12)

Priority: 5

Updated: 2008-07-05

Created: 2006-01-08

Creator: Axton

Private: No

Would like to see a new series of graphs based on
originating country (as defined in the whois cache):
- time(hour,day,month)/country code
- alert count/country code
- desetination udp port/country code
- desetination tcp port/country code
- sig classification/country code

Discussion

Steven - 2006-01-17

Logged In: YES
user_id=599435

I'd like to second this feature suggestion. Very nice idea.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kevin Johnson - 2006-07-19

Logged In: YES
user_id=836228

Decent idea. Any ideas on where we can get the mappings of contries to IP
addresses? I am not sure using whois data is the best use of resources?

Kevin

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Axton - 2006-08-11

Logged In: YES
user_id=1242185

I had the whois cache in mind when I submitted this. Not
sure why you feel this bad use of resources. In the ddl for
the cache table:

CREATE TABLE acid_ip_cache(
ipc_ip INT NOT NULL,
ipc_fqdn VARCHAR2(50),
ipc_dns_timestamp DATE,
ipc_whois BLOB,
ipc_whois_timestamp DATE,
PRIMARY KEY (ipc_ip) );

It looks like the whois data is stored as a blob, but the
data could be parsed and stored in a seperate table that has
with this ddl:

create table acid_whois_cache (
wic_orgname varchar2(100) not null,
wic_orgid varchar2(5) not null,
wic_address varchar2(100),
wic_city varchar2(20),
wic_stateprov varchar2(5),
wic_postalcode varchar2(10),
wic_country varchar2(5),
wic_cidr varchar2(100),
wic_nettype varchar2(30),
wic_regdate date,
wic_updated date,
wic_whois_timestamp,
wic_primary key (orgid))
/

The data could be parsed cached on a schedule from the
existing whois cached or it could be parsed whe the whois
data is gathered (not sure where this happens exactly).

If, for whatever reason, you still feel using whois is a bad
use of resources; I looked around some and found this:

http://search.cpan.org/~tjmather/Geo-IP-1.27/lib/Geo/IP.pm

The data could be pulled and cached as events are registered
in the db, similar to the way the original whois data is
gathered.

Axton Grams

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kevin Johnson - 2006-08-11

Logged In: YES
user_id=836228

I guess I should clarify.<grin> I think it is a great idea, but would prefer to
devote the developer resources on implementing 2.x

This feature would definitely be good there.

Kevin

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Sean Muller - 2007-12-31

milestone: --> 2.0x
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Juergen Leising - 2008-07-05

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Juergen Leising - 2008-07-05

Logged In: YES
user_id=1341286
Originator: NO

Hello,

this has been implemented in base-1.4.0.

bye, bye

Juergen

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: