[Bro] ASN Lookups
Seth Hall
seth at corelight.com
Fri Mar 10 12:52:00 PST 2017
Your script looks fine to me. Is it possible you’re seeing messages like "Can't open GeoIP ASNUM database” in your reporter log?
.Seth
> On Mar 10, 2017, at 3:03 PM, Dave Crawford <bro at pingtrip.com> wrote:
>
> Can someone point out the errors in my script to add ASNs to the conn log? The fields are always “0” in the log but GeoIP is working as expected.
>
> MaxMind’s ASN database is here:
>
> $ ls -l /usr/share/GeoIP/GeoIPASNum.dat
> -rw-r--r-- 1 dcrawford dcrawford 4361995 Mar 6 10:14 /usr/share/GeoIP/GeoIPASNum.dat
>
> And my add_geo-asn.bro script:
>
> redef record Conn::Info += {
> orig_cc: string &optional &log;
> resp_cc: string &optional &log;
> orig_asn: count &optional &log;
> resp_asn: count &optional &log;
> };
>
> event connection_state_remove(c: connection)
> {
> c$conn$orig_asn = lookup_asn(c$id$orig_h);
>
> local orig_loc = lookup_location(c$id$orig_h);
> if ( orig_loc?$country_code )
> c$conn$orig_cc = orig_loc$country_code;
>
>
> c$conn$resp_asn = lookup_asn(c$id$resp_h);
>
> local resp_loc = lookup_location(c$id$resp_h);
> if ( resp_loc?$country_code )
> c$conn$resp_cc = resp_loc$country_code;
> }
>
> -Dave
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
More information about the Bro
mailing list