Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Maxmind Threat Intelligence Database is not downloading

josephliion
Explorer
‎01-21-2019 08:45 AM

Hi there, I noticed that the URL path for the MaxMind ASN Database has changed on, to another path, and the siem can research for the file.

alt text
alt text

When I tried to put the new path, I realize that the zip file has a folder with two files and it is unreadable for the Splunk

¿Anyone has the same problem? ¿Is there another way to update the threat intelligence with IP Geolocation?

Best Regards,
Jose León

Preview file
74 KB
Preview file
14 KB
Reply

tommoore
Path Finder
‎03-26-2019 12:40 PM

Anyone know if this has been fixed yet?

0 Karma
Reply

mdillon_splunk
Splunk Employee
Splunk Employee
‎02-05-2019 10:02 PM

Hi,

There are several Splunkbase Apps around this, with one of the latest being the : ASN Lookup Generator

https://splunkbase.splunk.com/app/3531

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2019 11:46 AM

Where are you using the ASN file? Splunk ships with GeoLite2-City.mmdb, which is all that you should need to update.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kaw243
Explorer
‎01-22-2019 08:43 AM

The ASN file is used in ES in the below lookup Gens

Threat - ASN CIDR Matches - Lookup Gen
Threat - ASN IPv6 CIDR Matches - Lookup Gen
Threat - ASN String Matches - Lookup Gen

0 Karma
Reply

mdillon_splunk
Splunk Employee
Splunk Employee
‎01-26-2019 01:43 PM

Hi Jose,

This has been identified as an issue to be addressed under SOLNESS-17731
- " Name and location of the MaxMind GeoIP database has changed "

At present others are using the workaround of extracting the downloaded zip folder to a hosted web server or e.g. github repository.

Hope it helps,
Cheers,
Matt - Splunk.

0 Karma
Reply

rragazan
Loves-to-Learn Lots
‎07-27-2020 01:59 PM

Hi @mdillon_splunk

There is now a requirement that we and other users first obtain a free license key from MaxMind (https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) and update the link to take this into account such that the URL becomes "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN-CSV&license_key=INSERT_LICEN...".

The reason I'm raising this after quite some time since the last post on this thread is that I'm wondering whether "SOLNESS-17731" is also planning to take into account that the backend Python code that Splunk uses for this functionality (called "threatlist.py" & "protocols.py") seems to currently be unable to process archives which have multiple files within, as the screenshot below from my experimentation shows:

MultiFileArchiveProblem.png

 

The problem here is that MaxMind currently doesn't provide these files except as part of a ZIP or TAR.GZ archive with the following multi-file structure:

Folder: GeoLite2-ASN-CSV_20200728

File underneath: GeoLite2-ASN-Blocks-IPv4.csv

File underneath: COPYRIGHT.txt

File underneath: GeoLite2-ASN-Blocks-IPv6.csv

File underneath: LICENSE.txt

 

Thus, it would be ideal if we could somehow specify a configuration parameter when setting up the input like "File location: GeoLite2-ASN-CSV_YYYYmmdd/GeoLite2-ASN-Blocks-IPv4.csv" so that we can select which file Splunk will parse out of the archive.

We have a use case which relies on these CIDR IP <> ASN mappings so it would be great to get an update on whether something like the above has been considered as part of "SOLNESS-17731"; also could you please let me know if this should rather be raised as a Splunk Idea instead.

 

Many thanks !

0 Karma
Reply

mdillon_splunk
Splunk Employee
Splunk Employee
‎09-04-2020 06:15 PM

Hi @rragazan 

The issue should now be addressed with Enterprise Security 6.2.0

https://docs.splunk.com/Documentation/ES/6.2.0/RN/FixedIssues

SOLNESS-22110   - Threat Intelligence: Maxmind ASN database can no longer be consumed

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...