[Bro] ASN Lookups
Dave Crawford
bro at pingtrip.com
Fri Mar 10 16:18:20 PST 2017
Closing the loop on this… totally self-inflicted. I deployed the MaxMind database to the manger but forgot to also deploy to all the sensors.
Everything is working as intended now.
> On Mar 10, 2017, at 4:01 PM, Dave Crawford <bro at pingtrip.com> wrote:
>
> Ahh yes, there is an error:
>
> Reporter::ERROR Can't open GeoIP ASNUM database: /usr/share/GeoIP/GeoIPASNum.dat (lookup_asn(c$id$orig_h))
>
> But the permissions look correct:
>
> $ ls -l /usr/share/GeoIP/GeoIPASNum.dat
> -rw-r--r-- 1 dcrawford dcrawford 4361995 Mar 6 10:14 /usr/share/GeoIP/GeoIPASNum.dat
>
> Perhaps I grabbed the wrong version of the MaxMind ASN DB? This is the one I installed:
>
> http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz <http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz>
>
>
>> On Mar 10, 2017, at 3:52 PM, Seth Hall <seth at corelight.com <mailto:seth at corelight.com>> wrote:
>>
>> Your script looks fine to me. Is it possible you’re seeing messages like "Can't open GeoIP ASNUM database” in your reporter log?
>>
>> .Seth
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170310/de0c22df/attachment.html
More information about the Bro
mailing list