NetWitness Community

GuyBruneau · ‎2017-08-21

RSA used to provide a feed for Autonomous System Number (ASN) which is no longer available for download. I created a Perl script that convert the Maxmind CSV file into something usable by a decoder. The Perl script creates the ASN CSV file needed to create the feed. The XML file used to compile the feed.

By default, the ASN (asn.src and asn.dst) are not index and if you wish to run queries or reports, you need to add the following to your Broker(s)/Concentrators(s) and restart Broker(s)/Concentrator(s) for indexing to take effect

Steps

Download the GeoLite ASN GeoIPASNum2.zip file from Maxmind and unzip GeoIPASNum2.zip with maxmindasn.pl & maxmindasn.xml on any NetWitness appliances.

Execute the Maxmind perl script (i.e. perl maxmindasn.pl) and it will create a new file maxmindasn.csv. This file is used with the maxmindasn.xml to create the feed.

Two was to create the feed. Either with NwConsole

# NwConsole
# feed create maxmindasn.xml
- Upload the feed maxmindasn.feed to all decoders

Or directly in the SA GUI as an administrator push it to all the decoders in Live -> Feeds -> Custom Feeds -> Adhoc or Recurring and load the files as follow:

An example where you can use the ASN information

[1] http://dev.maxmind.com/geoip/legacy/geolite/

[2] http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip

ChaseMoxley · ‎2017-11-30

When I try to upload the xml file via the gui I get " Invalid xml feed file" any ideas?

GuyBruneau · ‎2017-11-30

Did your run the perl script against the GeoIPASNum2.csv file first? It need to be formatted first for the XML to work. I just tested it and it works fine after you have processed the file. I usually compile mine with NwConsole but the GUI via Live works as well.

ChaseMoxley · ‎2017-11-30

I did run the perl script against the GeoIPASNum2. I did it again with no change.

GuyBruneau · ‎2017-12-01

I just checked this morning and the GUI didn't like the fact that UINT32 in the xml was all in upper case instead of UInt32. I changed it and re-uploaded the package. I normally use the Linux NwConsole to compile my packages and it appears it didn't care.

Thanks for letting me know.

GuyBruneau · ‎2022-05-09

If you want to use the ASN other than Maxmind, I have updated the Perl script and XML to use a different list site for my ASN list

# Download IPv4 file from: https://iptoasn.com
# wget https://iptoasn.com/data/ip2asn-v4.tsv.gz
# gunzip ip2asn-v4.tsv.gz
# Unzip the file and then run this command to convert the file into comma delimited:
# cat ip2asn-v4.tsv | sed 's/\t/,/g' > ip2asn.tsv
#
# After your ran the script against the CSV file, use NwConsole to compile the feed
# or upload it via the GUI to the decoders. To compile it via NwConsole:
# NwConsole
# feed create ip2asn.xml
# Upload the feed ip2asn.feed to all decoders

# You will need to add the followin keys to both Broker/Concentrator and restart
# nwbroker and nwconcentrator services
#
# <key description="Source ASN" format="UInt32" level="IndexValues" name="asn.src" valueMax="500000"/>
# <key description="Destination ASN" format="UInt32" level="IndexValues" name="asn.dst" valueMax="500000"/>
#
# Add the following to each decoders and restart decoder service
# <key description="Source ASN" name="asn.src" format="UInt32" level="IndexNone"/>
# <key description="Destination ASN" name="asn.dst" format="UInt32" level="IndexNone"/>

NetWitness Community

ASN Custom Feed