Skip to content

Home

Jump to bottom
doksu edited this page Mar 28, 2017 · 12 revisions

TA-asngen

ASN Lookup Generator for Splunk

This app provides a generated command asngen, which downloads MaxMind's ASN database (http://dev.maxmind.com/geoip/legacy/geolite/), unzips the contents (in memory), converts each network's address to a string IP compatible with Splunk's CIDR match_type lookups and outputs a table of the results that can be easily put into a lookup.

TA-asngen has a scheduled search which automatically updates the 'asn' lookup daily. It's a standard csv lookup and can be used like so:

... | lookup asn ip AS src_ip

N.B. A custom search command was used rather than a scripted input so as to work better with search head clustering and scripted lookup was not used to prevent users from piping search results to the lookup and DoSing the provider.

OVERVIEW

  • Release notes
  • Disclaimer
  • Support and resources

INSTALLATION AND CONFIGURATION

  • Requirements
  • Installation
  • Configuration

OVERVIEW

Release notes

About this release

Version 0.1.x of TA-asngen is compatible with:

Splunk Enterprise versions 6.3+
Platforms Platform independent
Vendor Products MaxMind
Lookup file changes None
Fixed issues

Version 0.1.0 of TA-asngen fixes the following issues:

  • None
Known issues
  • None
Disclaimer

The author in no way endorses the provider's service, has no affiliation whatsoever with the provider, and makes no guarantees about the quality or accuracy of the information provided.

Support and resources

Please post questions at https://answers.splunk.com, however this app is provided as is with no warranty, implied or otherwise; please see the LICENSE document for more information. Feedback about possible improvements and good news stories of how this app has helped your organisation are most welcome.

INSTALLATION AND CONFIGURATION

Requirements

Hardware requirements

  • None

Software requirements

To function properly, TA-asngen requires the following software:

  • Splunk Enterprise 6.3+

Installation

Install this app on your search head/s as you would with any other app, then restart Splunk.

Configuration

If use of a proxy is required, please click 'Manage Apps' under the app menu, find TA-asnlookup and click 'Set up', then fill in the details. e.g: https://proxy.example.com:3128

Run the following search to initially populate the asn lookup: | asngen | table ip asn autonomous_system | outputlookup asn The lookup will automatically update itself each morning.

Clone this wiki locally