000034120 - How to automatically or manually update MaxMind GeoIP database(s) in RSA Web Threat Detection

Document created by RSA Customer Support Employee on Oct 17, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034120
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Web Threat Detection
IssueWTD ships with a static copy of the MaxMind GeoIPCity Lite database.  This is the free database provided by Maxmind which does not offer any claims about accuracy of offer monthly updates as with the full version of the same database.
Although this database does not receive regular updates, it is updated and these updates usually involve download and replacement of a new copy.
ResolutionWTD installation includes the GeoIP-1.4.8-1.el6.x86_64.rpm as a dependency. This RPM provides a geoipupdate utility.
1. Modify the config file /etc/GeoIP.conf so that includes a MaxMind UserID and Licence Key and the appropriate ProductIDs.
NOTE The free GeoIP Legacy City Lite database does not need a license key, just a placeholder as below.  If you license the full database from MaxMind include those details instead.
[root@croxfglab ~]# nano /etc/GeoIP.conf
 
# The following UserId and LicenseKey are required placeholders:
UserId 999999
LicenseKey 000000000000
# Include one or more of the following ProductIds:
# * GeoLite2-City - GeoLite 2 City
# * GeoLite2-Country - GeoLite2 Country
# * GeoLite-Legacy-IPv6-City - GeoLite Legacy IPv6 City
# * GeoLite-Legacy-IPv6-Country - GeoLite Legacy IPv6 Country
# * 506 - GeoLite Legacy Country
# * 517 - GeoLite Legacy ASN
# * 533 - GeoLite Legacy City
ProductIds 533 GeoLite-Legacy-IPv6-City



2. Run the geoipupdate utility specifying the WTD geoip database location:
[root@croxfglab ~]#  geoipupdate -v -d /var/opt/silvertail/lib/
 

Opened License file /etc/GeoIP.conf
Read in license key YOUR_LICENSE
number of product ids 2
Connecting to MaxMind GeoIP server
via Host or Proxy Server: api.maxmind.com:80
sending request GET /app/update_getfilename?product_id=533 HTTP/1.0
Host: updates.maxmind.com

database product id 533 database file name /var/opt/silvertail/lib/GeoLiteCity.dat
MD5 Digest of installed database is b8fe7967ae5ce66f8d4b786fa77d1c52
MD5 sum of database /var/opt/silvertail/lib/GeoLiteCity.dat is b8fe7967ae5ce66f8d4b786fa77d1c52
Connecting to MaxMind GeoIP Update server
sending request GET /app/update_getipaddr HTTP/1.0
Host: updates.maxmind.com
client ip address: 152.62.109.201
md5sum of ip address and license key is 20b48aa5b106ff5b918ad2046d150cef
sending request GET /app/update_secure?db_md5=b8fe7967ae5ce66f8d4b786fa77d1c52&challenge_md5=20b48aa5b106ff5b918ad2046d150cef&user_id=&edition_id=533 HTTP/1.0
Host: updates.maxmind.com

Downloading gzipped GeoIP Database...
/var/opt/silvertail/lib/GeoLiteCity.dat is up to date, no updates required
GeoIP Database up to date
Connecting to MaxMind GeoIP server
via Host or Proxy Server: api.maxmind.com:80
sending request GET /app/update_getfilename?product_id=GeoLite-Legacy-IPv6-City HTTP/1.0
Host: updates.maxmind.com

database product id GeoLite-Legacy-IPv6-City database file name /var/opt/silvertail/lib/GeoLiteCityv6.dat
MD5 Digest of installed database is 5f2460c6dc72de8ed924275b8347f5c7
MD5 sum of database /var/opt/silvertail/lib/GeoLiteCityv6.dat is 5f2460c6dc72de8ed924275b8347f5c7
md5sum of ip address and license key is 20b48aa5b106ff5b918ad2046d150cef
sending request GET /app/update_secure?db_md5=5f2460c6dc72de8ed924275b8347f5c7&challenge_md5=20b48aa5b106ff5b918ad2046d150cef&user_id=&edition_id=GeoLite-Legacy-IPv6-City HTTP/1.0
Host: updates.maxmind.com

Downloading gzipped GeoIP Database...
Done
Updating /var/opt/silvertail/lib/GeoLiteCityv6.dat
Saving gzip file to /var/opt/silvertail/lib/GeoLiteCityv6.dat.gz ... download data to a gz file named /var/opt/silvertail/lib/GeoLiteCityv6.dat.gz
Done
Uncompressing gzip file ... Done
Performing santity checks ... Database type is 30
database_info  PASS  lookup  PASS
Done
Updated database

3. Automate the geoipupdate utility using cron to run eg weekly:
[root@croxfglab ~]#  crontab -e
36 19 * * 6 /usr/local/bin/geoipupdate -d /var/opt/silvertail/lib/


Attachments

    Outcomes