-
Notifications
You must be signed in to change notification settings - Fork 7
Home
ASN Lookup Generator for Splunk
This app provides a generating command asngen, which downloads MaxMind's ASN database (http://dev.maxmind.com/geoip/legacy/geolite/), unzips the contents (in memory), converts each network's address to a string IP compatible with Splunk's CIDR match_type lookups and outputs a table of the results that can be easily put into a lookup.
TA-asngen has a scheduled search which automatically updates the 'asn' lookup daily. It's a standard csv lookup and can be used like so:
... | lookup asn ip AS <your_ip_field>
Be aware that the app automatically blacklists replication of the asn lookup to indexers in the search bundle (distsearch.conf), as it's typically around 13MB in size.
N.B. A custom search command was used rather than a scripted input so as to work better with search head clustering and scripted lookup was not used to prevent users from piping search results to the lookup and DoSing the provider.
- Release notes
- Disclaimer
- Support and resources
- Requirements
- Installation
- Configuration
Version 0.1.x of TA-asngen is compatible with:
| Splunk Enterprise versions | 6.3+ |
|---|---|
| Platforms | Platform independent |
| Vendor Products | MaxMind |
| Lookup file changes | None |
Version 0.1.2 of TA-asngen fixes the following issues:
- Characters in autonomous system names that cannot be converted to UTF-8 are discarded
- Proxy bug (Thanks Katerina: https://github.com/doksu/TA-asngen/issues/3)
- Matches longest network mask
- None
The author in no way endorses the provider's service, has no affiliation whatsoever with the provider, and makes no guarantees about the quality or accuracy of the information provided.
Please post questions at https://answers.splunk.com, however this app is provided as is with no warranty, implied or otherwise; please see the LICENSE document for more information. Feedback about possible improvements and good news stories of how this app has helped your organisation are most welcome.
- None
To function properly, TA-asngen requires the following software:
- Splunk Enterprise 6.3+
Install this app on your search head/s as you would with any other app, then restart Splunk.
If the maximum size of static lookup files has not yet been increased from the default in your environment, you will need to do so by adding a stanza such as this to limits.conf on your search head/s:
[lookup]
max_memtable_bytes=20000000
MaxMind provides the hierarchy of networks in their database. Generally we wish to know only the longest match and so the 'asn' lookup's default behaviour (as of v0.1.2) is to provide only the longest CIDR mask match. If you wish to see more, change the 'asn' lookup's 'max_matches' value in transforms.conf.
If use of a proxy is required, please click 'Manage Apps' under the app menu, find TA-asnlookup and click 'Set up', then fill in the details. e.g: https://proxy.example.com:3128
Run the following search to initially populate the asn lookup:
| asngen | table ip asn autonomous_system | outputlookup asn
The lookup will automatically update itself each morning.
The 'asn' lookup matches the longest CIDR mask for a given IPv4 address and can be used in the same way as any other lookup:
... | lookup asn ip AS <your_ip_field>