-
Notifications
You must be signed in to change notification settings - Fork 7
Home
ASN Lookup Generator for Splunk
This app provides a generating command asngen, which downloads MaxMind's ASN database (https://dev.maxmind.com/geoip/geoip2/geolite2-asn-csv-database/), unzips the contents (in memory) and outputs a table of the results that can be easily put into a lookup. To the best of our knowledge, CIDR-based lookups in Splunk do not support IPv6 (https://answers.splunk.com/answers/474542/feature-request-cidr-matching-for-ipv6-in-search.html) and so the asngen command does not output the IPv6 autonomous systems even though provided by MaxMind.
TA-asngen has a scheduled search which automatically updates the 'asn' lookup daily. It's a standard csv lookup and can be used like so:
... | lookup asn ip AS <your_ip_field>
Be aware that the app automatically blacklists replication of the asn lookup to indexers in the search bundle (distsearch.conf), as it's typically around 13MB in size.
N.B. A custom search command was used rather than a scripted input so as to work better with search head clustering and scripted lookup was not used to prevent users from piping search results to the lookup and DoSing the provider.
- Release notes
- Disclaimer
- Support and resources
- Requirements
- Installation
- Configuration
Version 1.1.x of TA-asngen is compatible with:
| Splunk Enterprise versions | 6.3+ |
|---|---|
| Platforms | Platform independent |
| Vendor Products | MaxMind |
| Lookup file changes | None |
Version 1.1.0 of TA-asngen fixes the following issues:
- MaxMind recently changed the way they provide this lookup, making a free license key a requirement (https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/). Big thanks to Kurt Keller who provided the update to this app to support the new subscription-based model (https://github.com/doksu/TA-asngen/pull/14).
Version 1.0.0 of TA-asngen fixes the following issues:
- New MaxMind URL and file format supported (Thanks Nicolas Rofort for raising the issue and providing a patch: https://github.com/doksu/TA-asngen/issues/5)
Version 0.1.2 of TA-asngen fixes the following issues:
- Characters in autonomous system names that cannot be converted to UTF-8 are discarded
- Proxy bug (Thanks Katerina: https://github.com/doksu/TA-asngen/issues/3)
- Matches longest network mask
- None
The author in no way endorses the provider's service, has no affiliation whatsoever with the provider, and makes no guarantees about the quality or accuracy of the information provided.
Please post questions at https://answers.splunk.com, however this app is provided as is with no warranty, implied or otherwise; please see the LICENSE document for more information. Feedback about possible improvements and good news stories of how this app has helped your organisation are most welcome.
- None
To function properly, TA-asngen requires the following software:
- Splunk Enterprise 6.3+
Install this app on your search head/s as you would with any other app, then restart Splunk.
If the maximum size of static lookup files has not yet been increased from the default in your environment, you will need to do so by adding a stanza such as this to limits.conf on your search head/s:
[lookup]
max_memtable_bytes=30000000
MaxMind provides the hierarchy of networks in their database. Generally we wish to know only the longest match and so the 'asn' lookup's default behaviour (as of v0.1.2) is to provide only the longest CIDR mask match. If you wish to see more, change the 'asn' lookup's 'max_matches' value in transforms.conf.
You must create a free MaxMind account (https://www.maxmind.com/en/geolite2/signup), generate a free license key, then configure it in the app before use. To configure the license key in the app, please click 'Manage Apps' under the app menu in Splunk, find TA-asnlookup and click 'Set up', then fill in the details.
If use of a proxy is required, please click 'Manage Apps' under the app menu, find TA-asnlookup and click 'Set up', then fill in the details. e.g: https://proxy.example.com:3128
Run the following search to initially populate the asn lookup:
| asngen | table ip asn autonomous_system | outputlookup asn
The lookup will automatically update itself each morning.
The 'asn' lookup matches the longest CIDR mask for a given IPv4 address and can be used in the same way as any other lookup, however we recommend use of the local=t argument:
... | lookup local=t asn ip AS <your_ip_field>