A lot of incident reports or events do only contain the IP-Address of the source or destination of the event. But for your everyday use it might be important to know the Autonomous System which contained this IP address. IntelMQ has an expert Bot build in, which helps you to enrich your event with this data.

In this post, I’d like to tell you how you can add this functionality to your IntelMQ

Requirements:

  1. Up-To-Date IntelMQ

  2. Up-To-Date IntelMQ-Manager.

  3. PyASN 1.5.0b7

  4. A provider for routing data
  5. Around 30 minutes of your time, probably less.

For this example we are going to use the data from RIPE. The dump is updated every 8 hours, you can choose between different collectors which will show different points of view on the network.

Let’s start. I presume you have all requirements up and running.

  1. Download your data to a directory of your liking. I like /tmp/ . $ curl http://data.ris.ripe.net/rrc12/latest-bview.gz -o /tmp/latest-bview.gz

  2. From my understanding of PyASN, it cannot use gz compressed files, and always tries to unpack the files, when converting them into an IPASN-Data-File. (See the GitHub Repository of PyASN to have a glance at an example for this format.) This means we need to repack the file into bz2 format. This will take a while. $ gunzip -c < /tmp/latest-bview.gz | bzip2 -c > /tmp/latest-bview.bz2

  3. Use the convert utility from PyASN to convert the data. This may take a while. $ pyasn_util_convert.py --single /tmp/latest-bview.bz2 /tmp/ipasn.dat

  4. We are almost done. Use the manager to add the ASN Lookup Expert. As database use the file you created with the convert-tool in step 3 "database": "/tmp/ipasn.dat" Add your newly created expert bot to your pipeline by creating links from and to the expert.

Don’t forget to save your configuration.

  1. Start the ASN Lookup Expert and restart its preceding bot. That’s it.

Hint: After eight hours this data will be deprecated, as routing information changes very rapidly. Add steps 1 to 3 to a cron-job to repeat them regularly.

Questions? Join #intelmq on freenode and ask them. We are glad to help.