ASN Lookup Generator for Splunk
Further documentation is provided in the wiki here: https://github.com/doksu/TA-asngen/wiki
To download the ASN data from MaxMind, an account (free) with MaxMind is required and a valid license key (free).
ASN Lookup Generator for Splunk
License: MIT License
ASN Lookup Generator for Splunk
Further documentation is provided in the wiki here: https://github.com/doksu/TA-asngen/wiki
To download the ASN data from MaxMind, an account (free) with MaxMind is required and a valid license key (free).
On running the
| asngen | table ip asn autonomous_system | outputlookup asn
command, I am left with the error
Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 57 : Please
check app proxy settings and license_key.
I have acquired a free license from maxmind but apparently the license I created hasn't been used. I am bit confused at the moment.
Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases.
https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
It would be prudent to change the encoding of the asngen output to UTF-8 to ensure there's no issues with autonomous systems using non-English character sets.
https://answers.splunk.com/answers/9822/lookup-files-with-foreign-characters.html
When the user initially creates the lookup, it will end up in the current app context and so the replication blacklist may not apply correctly - need to test.
How can I use the ASNGEN on an offline Splunk installation? I have no option to do the online database update
Search head cluster (SHC) deployers merge/flatten app configs into the app's 'default' folder before pushing to cluster nodes. The asngen.py script only looks in the 'local' folder for proxy config (because the default config is empty) and so can't "see" the proxy config when a deployer flatens and pushes to cluster nodes.
| asngen | table ip asn autonomous_system | outputlookup asn
returns ->
Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 44 : Please check app proxy settings
Checking the python file seemed to indicate the issue is that https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip
was not accessible.
Turns out GeoIPASNum2.zip
no longer exists. It's a 404.
https://dev.maxmind.com/geoip/geoip2/geolite2/ says:
GeoLite Legacy databases were discontinued on January 2, 2019. Learn more.
GeoLite Legacy databases are no longer available for download. Attempting to download a GeoLite Legacy database file will result in the error: “Database edition not found”.```
new files are available:
`https://geolite.maxmind.com/download/geoip/database/GeoLite2-City-CSV.zip`
`https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip`
`https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip`
I assume the correct path/file is `https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip`
Any chance you can review and update the Splunk app?
Any plans to get this app certified for Splunk Cloud?
You state that the lookup matches on the longest netmask. In my testing this does not work.
If there are multiple CIDR networks matching there is no result.
Hi,
I was checking out the GeoLite page, and it appears GeoLite2 (an updated format) is now the new standard and they're planning on discontinuing updates and deprecating the old GeoLite downloads.
New page is: https://dev.maxmind.com/geoip/geoip2/geolite2/
If I have some free time I can try and do a pull request to fix this and update the various Splunk pieces as well.
Yesterday ASN Generator worked in our test environment. Today I tried to install in our prod environment and it would not generate any output. Delving into it from the command line and running the code manually as splunk user return "Failed to parse transport header" in both environments.
$SPLUNK_HOME/bin/splunk cmd python /opt/splunk/etc/apps/TA-asngen/bin/asngen.py
{"finished":true,"inspector":{"messages":[["ERROR","RuntimeError at \"/opt/splunk/etc/apps/TA-asngen/bin/splunklib/searchcommands/search_command.py\", line 857 : Failed to parse transport header: \n"]]}}
I am getting the following error when running the search to populate the asn lookup following the update to ver 1.1. I checked the asngen.conf file and my license key is there, and I have added it in the setup section of the app, so I'm not sure what could be causing the issue. Is there something else I need to configure in the .conf or .py files?
Error: \TA-asngen\bin\asngen.py", line 37 : Error reading configuration. Please check your local asngen.conf file.
Looks like the ASN list just recently broke the 20MB suggested lookup size limit in the wiki. As of today, the asn.csv clocks in at 20480161 bytes. I modified my lookup size limit to 30MB instead and it instantly began working again.
It would be great if it would be possible to set the MaxMind IP through the webUI as currently it is possible to set it only by editing the configuration file[1], making this app not being usable in the Splunk Cloud (it's not an option to modify config files there directly).
[1] default/asngen.conf
[proxies]
https =
[maxmind]
license_key =
I found that the autonomous system and asn number cannot be resolved before deduplicate the result IP addresses. But the iplocation information can be shown without problem. As we need to do some counting tasks and filtering by organizations and therefore we cannot deduplicate the IP addresses before resolving the organizations.
I wanted to bring awareness that v1.1.1 of the TA doesn't seem to run with Python3 on Splunk version 8.0.5. I'm not a programmer, but it appears there's an incompatibilty in one of the libraries.
> splunk cmd python3 asngen.py
Traceback (most recent call last):
File "asngen.py", line 3, in
from splunklib.searchcommands import dispatch, GeneratingCommand, Configuration, Option, validators
File "/opt/splunk/etc/apps/TA-asngen/bin/splunklib/searchcommands/init.py", line 145, in
from .environment import *
File "/opt/splunk/etc/apps/TA-asngen/bin/splunklib/searchcommands/environment.py", line 21, in
from os import chdir, environ, getcwdu, path
ImportError: cannot import name 'getcwdu' from 'os' (/opt/splunk/lib/python3.7/os.py)
Trying to get this TA to work in the Splunk Cloud. I have updated the splunklib to 1.7.4 and fixed other failures found by splunk-inspect.
However, after installation in the cloud, I got this error when running "asngen":
Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 55 : maxmind license_key is required
I have put a MaxMind license key in the asngen.conf file, which I have verified is there in the installation (uploaded with a .tgz file).
Any thoughts on how this might happen? I looked at asngen.py briefly. It seems that it should have worked.
Thank you for reading this.
Had to change the exception handling to output the actual error message from the proxy server to be able to troubleshoot.
except Exception as ex:
raise Exception(ex)
This looks like a cool add-on. Is it possible to update the add-on to gather/use a proxy username and proxy password for authenticated outbound proxies?
After installing the app and setting proxies an error occured:
NameError at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 37 : global name 'ProxyHandler' is not defined
I've fixed it by changing importing urllib2 and changing this part:
if proxies['http'] is not None or proxies['https'] is not None:
proxy = urllib2.ProxyHandler(proxies)
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
try:
url = urllib2.urlopen("https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip")
except:
raise Exception("Please check app proxy settings")
Also I think it's worth stating how to set CIDR-type lookup in splunk, maybe simply by putting this link to splunkanswers: https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html
Now command works, that's exactly what I needed! Thank you!
Hi,
In my organization there is strict rule for not allowing any unauthenticated traffic and the connection to https://download.maxmind.com/app/geoip_download/* have to go through an authenticated proxy configs.
However, I didn't found any parameter where I can mention the proxy_username and proxy_password.
Can someone please help me to know - how to make this work or this app doesn't works at all with proxy authentication.
Below is that content for my local/asngen.conf -
[splunk@np-sh-2 local]$ cat asngen.conf
[maxmind]
license_key = Gxxxxxxxxxxo7
[proxies]
https = http://outbound-service-proxy.gateway.xxxx-euw1-xxxxxxxxxxxxxxxxxxxx:80
[splunk@np-sh-2 local]$
Does adding two other parameter like below under [proxies] stanza will work?
[proxies]
https = http://outbound-service-proxy.gateway.xxxx-euw1-xxxxxxxxxxxxxxxxxxxx:80
proxy_username = blablabla
proxy_password = blablablablabla
Please advice! Thanks in advance!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.