ASN information
98 views
Skip to first unread message
Imtiaz Rahman
Sep 28, 2023, 3:35:57 AM9/28/23
to Wazuh | Mailing List
Hello all,
I'm forwarding the Sucricata logs to WAZUH. With the srcip field I got the country name, city name, and location information. I want to get the AS (asn, asn_org) information along with that information.
Thanks in advance.
Imtiaz
David Correa Rodriguez
Oct 3, 2023, 7:45:21 AM10/3/23
to Wazuh | Mailing List
To enrich your Suricata logs with AS (Autonomous System) information such as ASN (Autonomous System Number) and ASN organization, you can use external services or APIs that provide this data. One common service used for this purpose is the MaxMind GeoIP2 and GeoIP ASN databases. Here's a general outline of the steps to achieve this:
Download the GeoIP2 and GeoIP ASN databases. MaxMind provides free and paid versions of these databases. The paid version generally offers more accurate and up-to-date data.
Install and Configure Wazuh. Ensure that you have Wazuh installed and properly configured to receive Suricata logs.
Install the MaxMind Database Reader. You'll need a MaxMind database reader library to query the GeoIP2 and GeoIP ASN databases. You can use libraries like geoip2 for this purpose.
Enrich Suricata Logs. Write a custom script or rule in Wazuh that uses the MaxMind database reader to enrich Suricata logs with ASN information.
Extract the srcip field from Suricata logs. Use the MaxMind database reader to query the GeoIP2 and GeoIP ASN databases to get the country name, city name, location information, ASN, and ASN organization for the srcip address.
Here is some useful documentation:
- https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
Download the GeoIP2 and GeoIP ASN databases. MaxMind provides free and paid versions of these databases. The paid version generally offers more accurate and up-to-date data.
Install and Configure Wazuh. Ensure that you have Wazuh installed and properly configured to receive Suricata logs.
Install the MaxMind Database Reader. You'll need a MaxMind database reader library to query the GeoIP2 and GeoIP ASN databases. You can use libraries like geoip2 for this purpose.
Enrich Suricata Logs. Write a custom script or rule in Wazuh that uses the MaxMind database reader to enrich Suricata logs with ASN information.
Extract the srcip field from Suricata logs. Use the MaxMind database reader to query the GeoIP2 and GeoIP ASN databases to get the country name, city name, location information, ASN, and ASN organization for the srcip address.
Here is some useful documentation:
- https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
Reply all
Reply to author
Forward
0 new messages