Tuesday, December 5, 2017

gloc - command line geoIP tool

As part of my CERT-RS work, recently I was occupied with local active botnets. One of the main IoC items when analyzing botnets, CnCs, and their relations with infected hosts is the IP address, since at one point of time you'll want to know where the attacker originates from, how does he command his botnets, etc.
I wanted to quickly pinpoint those malicious CnCs, but I was missing geoIP data for those IPs.
freegeoip.net came to my mind as not that precise, but nevertheless free service. And free is good!
However, I couldn't find any tool that will convert (and add the geo data I needed) list of IPs I had, so I decided to write one.
The result: gloc, small (less than 90 locs) and handy command-line utility for geo location of IP lists.
It can display info about single IP, and convert list of IP addresses and write them in JSON, csv or XML format.
Since it relies on freegeoip.net API, be aware that 15.000 queries per hour is maximum you can do. Still, this should be more than enough for most of the cases.

You can download gloc from my GitHub