Splunk Search

How to add own IP locations into the GeoLite2-City.mmdb

graether
Path Finder

Hello,

I applied successfully the tool at

github Customizing-Maxmind-IP-Geo-DB-for-Internal-Networks

https://github.com/threatstream/mhn/wiki/Customizing-Maxmind-IP-Geo-DB-for-Internal-Networks]

to add own IPs for an important Enterprise Security Projekt.

But somehow the mmdb created by

python csv2dat.py -w mmcity.dat mmcity GeoLiteCity-and-mynetworks.csv

differs from Splunks internal GeoLite2-City.mmdb

>>> import pygeoip, json
>>> geo = pygeoip.GeoIP('GeoLite2-City.mmdb')
>>> print json.dumps(geo.record_by_addr('182.236.164.11'), indent=4, sort_keys=True)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/root/mmutils/env/lib/python2.7/site-packages/pygeoip/__init__.py", line 544, in record_by_addr
    raise GeoIPError(message)
pygeoip.GeoIPError: Invalid database type, expected City

Is there a better method? Did I miss another conversion step?

Thanks!

0 Karma

MuS
Legend

A quick Google search reveals that the above script creates a .dat binary file and the file you used is a .mmdb which is the newer version. Another quick Google search reveals that there are many tools, topics how to convert a .dat file to a .mmdb

Try this https://www.google.com/search?q=python+convert+mmdb+to+dat

cheers, MuS

graether
Path Finder

Thanks MuS for pointing this out!
Somehow this

https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/

looks promising, and I'll give it a try.

Cheers

0 Karma

tiago_comasseto
Explorer

Hi @graether, we're trying to do the same with our internal IP's. Did you get any progress with the .mmdb file?

Thanks

0 Karma

graether
Path Finder

Hello Tiago,

I did not need to edit the file .mmdb anymore due to a project scope change. I've started with
https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/
but was not so straightforward. So unfortunately no news from my side.

0 Karma

niketn
Legend

Refer to the following repository for updating MaxMind DB in Splunk:

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html
http://www.georgestarcher.com/splunk-updating-the-geoip-database/

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

graether
Path Finder

Thanks, but I need to put my own IPs into the database, as explained in Customizing-Maxmind-IP-Geo-DB-for-Internal-Networks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...