cancel
Showing results for 
Search instead for 
Did you mean: 

Creative uses for url.geolocation?

Anyone have any creative uses for geolocation they would be willing to share?  Any gotchas besides that it won't work against the local DB?

I'm thinking more from a logging perspective where we can see how many hits went to a certain country, what was the reputation of those links at a certain country, how many blocked hits based on  a certain country. 

Just curious.

Thanks!

0 Kudos
15 Replies
eelsasser
Level 15

Re: Creative uses for url.geolocation?

I do, in fact, log Geolocation and import it as a custom field in Web Reporter.

Sites that get blocked put the country name on the block page like this:

Capture.PNG

Capture2.PNG

Capture3.PNG

The logs look like this:

Capture4.PNG

And Web Reporter can generate output like the attached PDF to this message.

0 Kudos
dvaidya
Level 7

Re: Creative uses for url.geolocation?

Any chance you could put the templates and the rules that you are using for geolocation blocking and collecting that information in the logs.  I have gotten it to block based on geolocation but right now only the two digit country code is listed and not the full name.  Also, the location of geolocation country code to full name list would be helpful.  I had it saved but screwed up and deleted the link.

Thank You

0 Kudos
eelsasser
Level 15

Re: Creative uses for url.geolocation?

Attached are rules and pages.

The rules do a CloudOnly lookup and assign the results to a variable:

EnabledRuleActionEvents
EnabledBlock sites in GeoBlacklist
1: URL.Geolocation<CloudOnly> is in list GeoLocationCodes
2: AND List.OfString.IsEmpty(GeoLocationNames) equals false
ContinueSet User-Defined.Geolocation = URL.Geolocation<CloudOnly>

The condition "List.OfString.IsEmpty(GeoLocationNames) equals false" is used strictly for attaching the list of full country names to the ruleset for export/import and does not do anything by itself.

I have a list of countries I want to ban, and they will block if there is a match:

EnabledBlock sites in GeoBlacklist
1: User-Defined.Geolocation is in list GeoBlacklist
Block<GeoLocation>

I also included reputation checking in this rule set because we already are doing the lookup, so why not. It is optional.

EnabledBlock Bad Reputation Sites
1: URL.ReputationString<CloudOnly> equals "High Risk"
2: OR URL.IsHighRisk<CloudOnly> equals true
Block<Bad Reputation>

The real meat is on the block page. It may not import exactly, but there are a list of images with the flags, each with it's country symbol. (US.gif, GB.gif, CA.gif, etc) Import those to the img/ folder.

Then, the HTML on the block page itself may or may not work as imported. You may have to adjust the references to the properties.

There is a section that displays the flag, you may have to adjust:

<img src='$Proxy.EndUserURL$/files/default/img/button_$String.ReplaceAll(URL.ReputationString<MostRecent >," ","")$.gif' />

When you add that property, make sure the Most Recently Used Settings is checked for URL.Reputation.

Then you want to display the full country name, you have to use:

List.OfString.Get(GeoLocationNames,List.OfString.Find(GeoLocationCodes,URL.Geolocation<MostRecent>))

Basically, it takes the 2-digit country and uses it as an index in the CountryNames list to get the full country name.

(I did not attach the logging rules. You must enter them yourself.)

And finally in the logs, I have a field in my access.log that appends the full country name to the Geolocation variable:

EnabledLookup Geolocation
1: User-Defined.Geolocation does not equal "Unknown"
ContinueSet User-Defined.Geolocation =
     User-Defined.Geolocation +
     "-" +
     List.OfString.Get(GeoLocationNames,List.OfString.Find(GeoLocationCodes,User-Defined.Geolocation))
Set User-Defined.Geolocation = String.ReplaceIfEquals(User-Defined.Geolocation,"-Unknown","Unknown")

And print the Geolocation in the access log:

" "" +

String.ReplaceIfEquals(User-Defined.Geolocation,"","-") +

"" " +

0 Kudos
dvaidya
Level 7

Re: Creative uses for url.geolocation?

Thanks Eric.

Still having problems in displaying the full country name in the block page.  It is coming up as Geolocation: (two_letter_country_code) flag.img.  I am missing something in somewhere.

0 Kudos
eelsasser
Level 15

Re: Creative uses for url.geolocation?

When you view the source of the block page, the flag image should be substituted as:

<img src='/mwg-internal/InternalPathId/files/default/img/US.gif'>

You said ".img" nor ".gif" in your post.

0 Kudos

Re: Creative uses for url.geolocation?

Good stuff!  With regards to your report, is that bytes sent?  So geolocation info will only show up if you use real time GTI lookups, and not the local DB? 

0 Kudos
eelsasser
Level 15

Re: Creative uses for url.geolocation?

Web Reporter does Bytes from Server by default I think.

Geolocation only shows up with a CloudOnly lookup. We don't download and maintain the IP list for countries on box.

In practice, I might craft the overall rules to do a local lookup against categories that I want to block, then for uncategorized sites do the CloudLookup with Geolocation. That means You won't get countries in the logs for things in the local database, but will for the sites that are not local.

Does that make sense?

0 Kudos
Troja
Level 14

Re: Creative uses for url.geolocation?

Hi all,

is it possible to match the Connection.IP with the Geolocation Data. Eg. in a reverse proxy environment to block access from specific countries?

Cheers,

Thorsten

0 Kudos
eelsasser
Level 15

Re: Creative uses for url.geolocation?

Looks like you found my comment here:

https://community.mcafee.com/docs/DOC-5205#comment-7123

0 Kudos