RSA used to provide a feed for Autonomous System Number (ASN) which is no longer available for download. I created a Perl script that convert the Maxmind CSV file into something usable by a decoder. The Perl script creates the ASN CSV file needed to create the feed. The XML file used to compile the feed.
By default, the ASN (asn.src and asn.dst) are not index and if you wish to run queries or reports, you need to add the following to your Broker(s)/Concentrators(s) and restart Broker(s)/Concentrator(s) for indexing to take effect
<key description="Source ASN" format="UInt32" level="IndexValues" name="asn.src" valueMax="500000"/>
<key description="Destination ASN" format="UInt32" level="IndexValues" name="asn.dst" valueMax="500000"/>
Execute the Maxmind perl script (i.e. perl maxmindasn.pl) and it will create a new file maxmindasn.csv. This file is used with the maxmindasn.xml to create the feed.
Two was to create the feed. Either with NwConsole
# feed create maxmindasn.xml
- Upload the feed maxmindasn.feed to all decoders
Or directly in the SA GUI as an administrator push it to all the decoders in Live -> Feeds -> Custom Feeds -> Adhoc or Recurring and load the files as follow:
An example where you can use the ASN information