Guy Bruneau

ASN Custom Feed

Discussion created by Guy Bruneau on Aug 21, 2017
Latest reply on Dec 1, 2017 by Guy Bruneau

RSA used to provide a feed for Autonomous System Number (ASN) which is no longer available for download. I created a Perl script that convert the Maxmind CSV file into something usable by a decoder. The Perl script creates the ASN CSV file needed to create the feed. The XML file used to compile the feed.

 

By default, the ASN (asn.src and asn.dst) are not index and if you wish to run queries or reports, you need to add the following to your Broker(s)/Concentrators(s) and restart Broker(s)/Concentrator(s) for indexing to take effect

 

<key description="Source ASN" format="UInt32" level="IndexValues" name="asn.src" valueMax="500000"/>
<key description="Destination ASN" format="UInt32" level="IndexValues" name="asn.dst" valueMax="500000"/>

 

Steps

 

Download the GeoLite ASN GeoIPASNum2.zip file from Maxmind and unzip GeoIPASNum2.zip with maxmindasn.pl & maxmindasn.xml on any NetWitness appliances.

 

Execute the Maxmind perl script (i.e. perl maxmindasn.pl) and it will create a new file maxmindasn.csv. This file is used with the maxmindasn.xml to create the feed.

 

Two was to create the feed. Either with NwConsole

 

# NwConsole
# feed create maxmindasn.xml
- Upload the feed maxmindasn.feed to all decoders

 

Or directly in the SA GUI as an administrator push it to all the decoders in Live -> Feeds -> Custom Feeds -> Adhoc or Recurring and load the files as follow:

 

Loading ASN feed to Decoders

 

An example where you can use the ASN information

Top 10 Inbound Scan by ASN

 

[1] http://dev.maxmind.com/geoip/legacy/geolite/ 

[2] http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip 

Attachments

Outcomes