Filter out Intelsat satellite network plane wifi from Impossible Travel #1358
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Intelsat provides in-flight wifi for a number of airlines (American, Alaska, etc) but like any ASN provides geographic information for a fixed spot on the globe. This leads to false positives when persons using in-flight wifi have login activity shortly before or after a login from in-flight.
|
Hi Geoff, thanks for submitting! I've been reviewing your PR and I'm wondering why the current rule code doesn't satisfy your situation... It appears that Intelsat gets identified by IPinfo as a VPN, and therefore the current code would not use it for any distance calculations in further events. (It does generate an alert, but the alert is INFO level and auto-dismissed, so it shouldn't generate any noise. The reason we still generate an alert for VPNs is in case the VPN designation was a mistake - you'll still have a record of the alert and the event details, if you review your alert history.) Please let me know if there's something I'm not seeing! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
Intelsat provides in-flight wifi for a number of airlines (American, Alaska, etc) among other mobile services but like any ASN provides geographic information for a fixed spot on the globe. This leads to false positives when persons using in-flight wifi have login activity shortly before or after a login from in-flight. An example:
Changes
Adds a check on
ipinfo_asnlookups and excludes Intelsat's ASNAS22351from triggering the rule or being included innew_login_stats. Any additional satellite network ASNs identified can be added to theSATELLITE_NETWORK_ASNSconstant.Testing