ASN Lookups

Can someone point out the errors in my script to add ASNs to the conn log? The fields are always “0” in the log but GeoIP is working as expected.

MaxMind’s ASN database is here:

$ ls -l /usr/share/GeoIP/GeoIPASNum.dat
-rw-r–r-- 1 dcrawford dcrawford 4361995 Mar 6 10:14 /usr/share/GeoIP/GeoIPASNum.dat

And my add_geo-asn.bro script:

redef record Conn::Info += {
orig_cc: string &optional &log;
resp_cc: string &optional &log;
orig_asn: count &optional &log;
resp_asn: count &optional &log;
};

event connection_state_remove(c: connection)
{

c$conn$orig_asn = lookup_asn(c$id$orig_h);

local orig_loc = lookup_location(c$id$orig_h);
if ( orig_loc?$country_code )
c$conn$orig_cc = orig_loc$country_code;

c$conn$resp_asn = lookup_asn(c$id$resp_h);

local resp_loc = lookup_location(c$id$resp_h);
if ( resp_loc?$country_code )
c$conn$resp_cc = resp_loc$country_code;
}

-Dave

Your script looks fine to me. Is it possible you’re seeing messages like "Can't open GeoIP ASNUM database” in your reporter log?

  .Seth

Ahh yes, there is an error:

Reporter::ERROR Can’t open GeoIP ASNUM database: /usr/share/GeoIP/GeoIPASNum.dat (lookup_asn(c$id$orig_h))

But the permissions look correct:

$ ls -l /usr/share/GeoIP/GeoIPASNum.dat
-rw-r–r-- 1 dcrawford dcrawford 4361995 Mar 6 10:14 /usr/share/GeoIP/GeoIPASNum.dat

Perhaps I grabbed the wrong version of the MaxMind ASN DB? This is the one I installed:

http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz

Closing the loop on this… totally self-inflicted. I deployed the MaxMind database to the manger but forgot to also deploy to all the sensors.

Everything is working as intended now.