On running the
| asngen | table ip asn autonomous_system | outputlookup asn

command, I am left with the error

Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 57 : Please
check app proxy settings and license_key.

I have acquired a free license from maxmind but apparently the license I created hasn't been used. I am bit confused at the moment.

Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases.

https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

It would be prudent to change the encoding of the asngen output to UTF-8 to ensure there's no issues with autonomous systems using non-English character sets.

https://answers.splunk.com/answers/9822/lookup-files-with-foreign-characters.html

When the user initially creates the lookup, it will end up in the current app context and so the replication blacklist may not apply correctly - need to test.

How can I use the ASNGEN on an offline Splunk installation? I have no option to do the online database update

Search head cluster (SHC) deployers merge/flatten app configs into the app's 'default' folder before pushing to cluster nodes. The asngen.py script only looks in the 'local' folder for proxy config (because the default config is empty) and so can't "see" the proxy config when a deployer flatens and pushes to cluster nodes.

| asngen | table ip asn autonomous_system | outputlookup asn returns ->
Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 44 : Please check app proxy settings

Checking the python file seemed to indicate the issue is that https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip was not accessible.

Turns out GeoIPASNum2.zip no longer exists. It's a 404.

https://dev.maxmind.com/geoip/geoip2/geolite2/ says:
GeoLite Legacy databases were discontinued on January 2, 2019. Learn more.

GeoLite Legacy databases are no longer available for download. Attempting to download a GeoLite Legacy database file will result in the error: “Database edition not found”.```

new files are available:
`https://geolite.maxmind.com/download/geoip/database/GeoLite2-City-CSV.zip`
`https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip`
`https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip`

I assume the correct path/file is `https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip`

Any chance you can review and update the Splunk app?

Any plans to get this app certified for Splunk Cloud?

You state that the lookup matches on the longest netmask. In my testing this does not work.
If there are multiple CIDR networks matching there is no result.

Hi,

I was checking out the GeoLite page, and it appears GeoLite2 (an updated format) is now the new standard and they're planning on discontinuing updates and deprecating the old GeoLite downloads.

New page is: https://dev.maxmind.com/geoip/geoip2/geolite2/

If I have some free time I can try and do a pull request to fix this and update the various Splunk pieces as well.

Yesterday ASN Generator worked in our test environment. Today I tried to install in our prod environment and it would not generate any output. Delving into it from the command line and running the code manually as splunk user return "Failed to parse transport header" in both environments.

$SPLUNK_HOME/bin/splunk cmd python /opt/splunk/etc/apps/TA-asngen/bin/asngen.py

{"finished":true,"inspector":{"messages":[["ERROR","RuntimeError at \"/opt/splunk/etc/apps/TA-asngen/bin/splunklib/searchcommands/search_command.py\", line 857 : Failed to parse transport header: \n"]]}}

I am getting the following error when running the search to populate the asn lookup following the update to ver 1.1. I checked the asngen.conf file and my license key is there, and I have added it in the setup section of the app, so I'm not sure what could be causing the issue. Is there something else I need to configure in the .conf or .py files?

Error: \TA-asngen\bin\asngen.py", line 37 : Error reading configuration. Please check your local asngen.conf file.

Looks like the ASN list just recently broke the 20MB suggested lookup size limit in the wiki. As of today, the asn.csv clocks in at 20480161 bytes. I modified my lookup size limit to 30MB instead and it instantly began working again.

It would be great if it would be possible to set the MaxMind IP through the webUI as currently it is possible to set it only by editing the configuration file[1], making this app not being usable in the Splunk Cloud (it's not an option to modify config files there directly).

[1] default/asngen.conf
[proxies]
https =

[maxmind]
license_key =

I found that the autonomous system and asn number cannot be resolved before deduplicate the result IP addresses. But the iplocation information can be shown without problem. As we need to do some counting tasks and filtering by organizations and therefore we cannot deduplicate the IP addresses before resolving the organizations.

I wanted to bring awareness that v1.1.1 of the TA doesn't seem to run with Python3 on Splunk version 8.0.5. I'm not a programmer, but it appears there's an incompatibilty in one of the libraries.
> splunk cmd python3 asngen.py
Traceback (most recent call last):
File "asngen.py", line 3, in
from splunklib.searchcommands import dispatch, GeneratingCommand, Configuration, Option, validators
File "/opt/splunk/etc/apps/TA-asngen/bin/splunklib/searchcommands/init.py", line 145, in
from .environment import *
File "/opt/splunk/etc/apps/TA-asngen/bin/splunklib/searchcommands/environment.py", line 21, in
from os import chdir, environ, getcwdu, path
ImportError: cannot import name 'getcwdu' from 'os' (/opt/splunk/lib/python3.7/os.py)

Trying to get this TA to work in the Splunk Cloud. I have updated the splunklib to 1.7.4 and fixed other failures found by splunk-inspect.

However, after installation in the cloud, I got this error when running "asngen":
Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 55 : maxmind license_key is required

I have put a MaxMind license key in the asngen.conf file, which I have verified is there in the installation (uploaded with a .tgz file).

Any thoughts on how this might happen? I looked at asngen.py briefly. It seems that it should have worked.

Thank you for reading this.

Had to change the exception handling to output the actual error message from the proxy server to be able to troubleshoot.

        except Exception as ex:
            raise Exception(ex)

This looks like a cool add-on. Is it possible to update the add-on to gather/use a proxy username and proxy password for authenticated outbound proxies?

After installing the app and setting proxies an error occured:
NameError at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 37 : global name 'ProxyHandler' is not defined
I've fixed it by changing importing urllib2 and changing this part:

if proxies['http'] is not None or proxies['https'] is not None:
            proxy = urllib2.ProxyHandler(proxies)
            opener = urllib2.build_opener(proxy)
            urllib2.install_opener(opener)

        try:
            url = urllib2.urlopen("https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip")
        except:
            raise Exception("Please check app proxy settings")

Also I think it's worth stating how to set CIDR-type lookup in splunk, maybe simply by putting this link to splunkanswers: https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

Now command works, that's exactly what I needed! Thank you!

Hi,

In my organization there is strict rule for not allowing any unauthenticated traffic and the connection to https://download.maxmind.com/app/geoip_download/* have to go through an authenticated proxy configs.
However, I didn't found any parameter where I can mention the proxy_username and proxy_password.
Can someone please help me to know - how to make this work or this app doesn't works at all with proxy authentication.
Below is that content for my local/asngen.conf -

[splunk@np-sh-2 local]$ cat asngen.conf
[maxmind]
license_key = Gxxxxxxxxxxo7

[proxies]
https = http://outbound-service-proxy.gateway.xxxx-euw1-xxxxxxxxxxxxxxxxxxxx:80
[splunk@np-sh-2 local]$

Does adding two other parameter like below under [proxies] stanza will work?

[proxies]
https = http://outbound-service-proxy.gateway.xxxx-euw1-xxxxxxxxxxxxxxxxxxxx:80
proxy_username = blablabla
proxy_password = blablablablabla

Please advice! Thanks in advance!