Here's where I write stuff, and you read what I wrote.
Seems that the last implication question (from the example about the farmer) I thought up from preparing 2 Tim 2:1-7 was meant more for myself at this point in time than simply for the general crowd:
“Do we give up halfway? (Not the same as taking a break, but giving up/abandoning the gospel work)”
Writing this here to remind myself of this in the future.
Some more fun with p0f and Splunk…Now with profiling of client internet connections!
Setup of the p0f and logging is the same as in the OS Profiling post.
The Splunk search string has been extended to extract the source’s internet link as a field too (go for the portion in bold for the field extracting commands):
| file /home/path/to/p0f.log | rex field=_raw “> (?<srcip>[^:]+):(?<srcport>[^ ]+) – (?<srcos>.+?) \(” | rex field=_raw “-> (?<dstip>[^:]+):(?<dstport>[^ ]+) ” | rex field=_raw “link: (?<srclink>.*)\)$” | regex srclink!=”(unspecified|unknown)” | top limit=0 srclink
The fields that I extract with this:
After filtering out the “unspecified” and “unknown” links, the list of the detected links are as follows:
“ethernet/modem” points to mostly cable connections. There’re some interesting entries in the list though, like vtun, pppoe, Google/AOL, IPv6/IPIP (early adopters? haha). Don’t have any idea on what’s IPSec/GRE, or vLAN here in this context though.
Just for the heck of it, here’s the chart for this table, generated from the reports link in Splunk.
I like the charts, because they allow some interaction with the charts for simple datasets, but I digress 
Did you know that it’s possible to do your own geoip lookups from the linux command line?
You need to install the geoip-bin package in Ubuntu/Debian’s APT system:
$ sudo apt-get install geoip-bin
Then after which, lookups can be done as simply as:
$ geoiplookup 8.8.8.8
GeoIP Country Edition: US, United States
Note that the lookups are based on the GeoLite Country database. For more detailed geoip lookups you will need to buy the better databases.