[Oisf-users] AS numbers
Michael Stone
mstone at mathom.us
Thu Mar 2 12:52:27 UTC 2017
On Thu, Mar 02, 2017 at 12:54:09PM +0100, Victor Julien wrote:
>On 24-02-17 03:12, Michael Stone wrote:
>> Has there been any thought about extending the geoip functionality to
>> include autonomous system numbers (ASNs) as well? Or is there an
>> existing way to do this that I've missed?
>
>Are you aware of a library/option to do this? For geoip we just use the
>maxmind libs.
There are a number of ways to do it, but the maxmind libs already have
it so I thought that was the least-effort path. There's example code in
the "geoiplookup" program in the geoip library apps directory, but
basically it's a matter of calling GeoIP_name_by_ipnum using a database
with ASN information instead of the usual country or city database.
(E.g.,
http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz)
If there's interest I could put together a patch, but adding a new
signature keyword seems somewhat significant so I wondered if it had
already been considered. In theory there could be multiple
implementations of the actual lookup mechanism; the maxmind route just
seemed expedient.
It's probably worth noting that the API suricata currently uses for
geoip is maxmind's "legacy" API. There's a new API with a different
database format, but ASN functionality is now only available with a
subscription. (Ironically, if you do pay them, you can't use the old
API.)
Mike Stone
More information about the Oisf-users
mailing list