Hey, Jason Ostrom here. In the spirit of some of the valuable information being shared on the rising trend of SIP scanning activity and toll fraud, I’ve created a Perl script that does GeoIP lookups of potential attackers, sorting them based on scanning activity and country origination. The script is free to anyone, and currently only works with Asterisk logging for an Asterisk based VoIP Honeypot. Feel free to re-use this script as you see fit. The idea behind it is to quickly view hit counts and percentages of failure activity based on country codes using geolocation technology. You can roll this script into your cron and see the number of hits and where they are coming from on a daily basis. Details on how to install and use the script are here, and the script itself can be downloaded from the UCSniff downloads section.
Note that you can run the script in debug mode to lookup IP addresses based on city origination. Hope this script helps you and let us know how it goes.