Open for Voting
over 2 years ago

GeoIP location and alerting

The ability to create a rule that looks up the GeoIP location of an IP address in a log that triggers a rule would be very beneficial for tracking down potentially compromised accounts/devices.

  • While generally speaking the GEOIP database is correct, it is not guaranteed to be so.

  • I could see the use of a feature or tool that utilized GEOIP and other public ip data from ARIN or RIPE to determine location and ownership of pubic ip's either source or destination. That way you could quickly tell if some unusual traffic leaving  or entering a server or workstation is worth a closer look or quick block. Although there is a whois tool option that you can use to get ARIN data...