Re: Intrusion Statistics
On Fri, 05 Aug 2011 11:59:51 -0400, shawn wilson wrote:
> 1. How are you figuring the source country? If you're looking at the ip
> in the handshake and comparing this to a db of ip / country, you're only
> looking at half of the story. If you're a bit smarter and have a list of
> border routers that country owns and are looking at that for the source
> country, this is probably better.
My router emails me with its log when it fills, with entries like these:
Aug 4 07:52:42 | Drop TCP packet from WAN (src:18.104.22.168:12200,
dst:nnn.nnn.nnn.nnn:nn) by default rule
Aug 4 06:25:53 | Drop PING request from WAN (ip:22.214.171.124).
I just have a small shell script which reads the emails, extracts the IP
addresses and does a lookup on my Geo IP database. Nothing elaborate.