Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Looks like AS number and name enrichments are not working #67

Closed
alexcpsec opened this issue Sep 15, 2014 · 7 comments
Closed

Looks like AS number and name enrichments are not working #67

alexcpsec opened this issue Sep 15, 2014 · 7 comments
Assignees
@alexcpsec
Labels
bug

Comments

@alexcpsec
Copy link
Member

Maybe I broke it when I updated the files, maybe not. This needs investigating.
@alexcpsec alexcpsec self-assigned this Sep 15, 2014
@alexcpsec alexcpsec added the bug label Sep 15, 2014
@krmaxwell
Copy link
Member

What specifically did you observe?

@alexcpsec
Copy link
Member Author

I sampled a few entries from crop.json so that processing time would not be so bad. I took maybe the top 25 ones from yesterday.

After running winnower, all of them had countries (some had rhosts from DNSDB) but NONE had asnumber/asname. So I figured something could be wrong.

@krmaxwell
Copy link
Member

Hrm, having trouble reproducing this.

@alexcpsec
Copy link
Member Author

Try with this:

[
  [
    "27.159.210.82", 
    "IPv4", 
    "inbound", 
    "http://www.projecthoneypot.org/list_of_ips.php?rss=1", 
    "", 
    "2014-09-15"
  ], 
  [
    "120.33.245.248", 
    "IPv4", 
    "inbound", 
    "http://www.projecthoneypot.org/list_of_ips.php?rss=1", 
    "", 
    "2014-09-15"
  ], 
  [
    "62.210.148.172", 
    "IPv4", 
    "inbound", 
    "http://www.projecthoneypot.org/list_of_ips.php?rss=1", 
    "", 
    "2014-09-15"
  ], 
  [
    "46.39.255.195", 
    "IPv4", 
    "inbound", 
    "http://www.projecthoneypot.org/list_of_ips.php?rss=1", 
    "", 
    "2014-09-15"
  ], 
  [
    "110.89.36.219", 
    "IPv4", 
    "inbound", 
    "http://www.projecthoneypot.org/list_of_ips.php?rss=1", 
    "", 
    "2014-09-15"
  ], 
  [
    "91.200.12.14", 
    "IPv4", 
    "inbound", 
    "http://www.projecthoneypot.org/list_of_ips.php?rss=1", 
    "", 
    "2014-09-15"
  ]
]

@krmaxwell
Copy link
Member

okay this is something I can work with!

@krmaxwell
Copy link
Member

OK, major logic fail on my part. Every time we read a new row from data/GeoIPASNum2.csv, we assign to the specified ASN the range in that row. But this is wrong because many ASNs have multiple ranges, including in particular AS4134 Chinanet.

So effectively the dict only contains the last range for each ASN. Working on fixing this now.

@alexcpsec
Copy link
Member Author

AH! Of course. Completely forgot about that as well.

alexcpsec added a commit that referenced this issue Sep 16, 2014
@alexcpsec
Parsing out the leading 'AS' in the asname if it exists (#67)
5864b39
krmaxwell pushed a commit that referenced this issue Sep 16, 2014
Merge pull request #70 from mlsecproject/i67_as
acf3b27 
Fixes #67 by indexing per range, not per org name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexcpsec alexcpsec

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krmaxwell @alexcpsec