ASN Lookup made easy

Wed, 27 Apr 2016 13:00:00 +0200

A lot of incident reports or events do only contain the IP-Address of the source or destination of the event. But for your everyday use it might be important to know the Autonomous System which contained this IP address. IntelMQ has an expert Bot build in, which helps you to enrich your event with this data.

In this post, I’d like to tell you how you can add this functionality to your IntelMQ

Requirements:

Up-To-Date IntelMQ
Up-To-Date IntelMQ-Manager.
PyASN 1.5.0b7
A provider for routing data
- RIPE RIS-RAW-Data
- 3TU-Weekly
Around 30 minutes of your time, probably less.

For this example we are going to use the data from RIPE. The dump is updated every 8 hours, you can choose between different collectors which will show different points of view on the network.

Let’s start. I presume you have all requirements up and running.

Download your data to a directory of your liking. I like /tmp/ . $ curl http://data.ris.ripe.net/rrc12/latest-bview.gz -o /tmp/latest-bview.gz
From my understanding of PyASN, it cannot use gz compressed files, and always tries to unpack the files, when converting them into an IPASN-Data-File. (See the GitHub Repository of PyASN to have a glance at an example for this format.) This means we need to repack the file into bz2 format. This will take a while. $ gunzip -c < /tmp/latest-bview.gz | bzip2 -c > /tmp/latest-bview.bz2
Use the convert utility from PyASN to convert the data. This may take a while. $ pyasn_util_convert.py --single /tmp/latest-bview.bz2 /tmp/ipasn.dat
We are almost done. Use the manager to add the ASN Lookup Expert. As database use the file you created with the convert-tool in step 3 "database": "/tmp/ipasn.dat" Add your newly created expert bot to your pipeline by creating links from and to the expert.

Don’t forget to save your configuration.

Start the ASN Lookup Expert and restart its preceding bot. That’s it.

Hint: After eight hours this data will be deprecated, as routing information changes very rapidly. Add steps 1 to 3 to a cron-job to repeat them regularly.

Questions? Join #intelmq on freenode and ask them. We are glad to help.

Migrating to Python3 Only

Tue, 05 Apr 2016 15:55:49 +0200

Since of today, we will be dropping Python2.7 support and only use Python3. The reasons are:

keeping compatibility between Ptyhon2 as well as Python3 creates ugly code with lots of exceptions. This is being reduced now.
All libraries that we need are supported in Python3

Please note that over the course of the next weeks, we will clean up any Python2 related documentation and code.