[Bro] ASN Lookups
Dave Crawford
bro at pingtrip.com
Fri Mar 10 12:03:48 PST 2017
Can someone point out the errors in my script to add ASNs to the conn log? The fields are always “0” in the log but GeoIP is working as expected.
MaxMind’s ASN database is here:
$ ls -l /usr/share/GeoIP/GeoIPASNum.dat
-rw-r--r-- 1 dcrawford dcrawford 4361995 Mar 6 10:14 /usr/share/GeoIP/GeoIPASNum.dat
And my add_geo-asn.bro script:
redef record Conn::Info += {
orig_cc: string &optional &log;
resp_cc: string &optional &log;
orig_asn: count &optional &log;
resp_asn: count &optional &log;
};
event connection_state_remove(c: connection)
{
c$conn$orig_asn = lookup_asn(c$id$orig_h);
local orig_loc = lookup_location(c$id$orig_h);
if ( orig_loc?$country_code )
c$conn$orig_cc = orig_loc$country_code;
c$conn$resp_asn = lookup_asn(c$id$resp_h);
local resp_loc = lookup_location(c$id$resp_h);
if ( resp_loc?$country_code )
c$conn$resp_cc = resp_loc$country_code;
}
-Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170310/2305792b/attachment.html
More information about the Bro
mailing list