2016-12-16 15:14:48 +01:00
import json
2019-10-28 16:39:08 +01:00
import geoip2 . database
2016-12-16 15:14:48 +01:00
import sys
import logging
2016-09-28 14:05:43 +02:00
log = logging . getLogger ( ' geoip_country ' )
log . setLevel ( logging . DEBUG )
ch = logging . StreamHandler ( sys . stdout )
ch . setLevel ( logging . DEBUG )
formatter = logging . Formatter ( ' %(asctime)s - %(name)s - %(levelname)s - %(message)s ' )
ch . setFormatter ( formatter )
log . addHandler ( ch )
misperrors = { ' error ' : ' Error ' }
mispattributes = { ' input ' : [ ' ip-src ' , ' ip-dst ' , ' domain|ip ' ] , ' output ' : [ ' freetext ' ] }
2019-10-28 16:39:08 +01:00
moduleconfig = [ ' local_geolite_db ' ]
2016-09-28 14:05:43 +02:00
# possible module-types: 'expansion', 'hover' or both
2024-08-12 11:23:10 +02:00
moduleinfo = {
' version ' : ' 0.2 ' ,
' author ' : ' Andreas Muehlemann ' ,
' description ' : ' Query a local copy of Maxminds Geolite database, updated for MMDB format ' ,
' module-type ' : [ ' expansion ' , ' hover ' ] ,
' name ' : ' GeoIP Country Lookup ' ,
' logo ' : ' maxmind.png ' ,
' requirements ' : [ " A local copy of Maxmind ' s Geolite database " ] ,
' features ' : " This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind ' s Geolite database to get information about the location of this IP address. \n \n Please note that composite attributes domain|ip are also supported. " ,
' references ' : [ ' https://www.maxmind.com/en/home ' ] ,
' input ' : ' An IP address MISP Attribute. ' ,
' output ' : ' Text containing information about the location of the IP address. ' ,
}
2016-09-28 14:05:43 +02:00
2016-12-16 15:14:48 +01:00
2016-09-28 14:05:43 +02:00
def handler ( q = False ) :
if q is False :
return False
request = json . loads ( q )
2019-10-28 16:39:08 +01:00
if not request . get ( ' config ' ) or not request [ ' config ' ] . get ( ' local_geolite_db ' ) :
return { ' error ' : ' Please specify the path of your local copy of Maxminds Geolite database ' }
path_to_geolite = request [ ' config ' ] [ ' local_geolite_db ' ]
2016-09-28 14:05:43 +02:00
if request . get ( ' ip-dst ' ) :
toquery = request [ ' ip-dst ' ]
elif request . get ( ' ip-src ' ) :
toquery = request [ ' ip-src ' ]
elif request . get ( ' domain|ip ' ) :
toquery = request [ ' domain|ip ' ] . split ( ' | ' ) [ 1 ]
else :
2016-12-16 15:14:48 +01:00
return False
2016-09-28 14:05:43 +02:00
2019-10-28 16:39:08 +01:00
try :
reader = geoip2 . database . Reader ( path_to_geolite )
except FileNotFoundError :
return { ' error ' : f ' Unable to locate the GeoLite database you specified ( { path_to_geolite } ). ' }
2016-09-28 14:05:43 +02:00
log . debug ( toquery )
try :
2019-10-28 16:39:08 +01:00
answer = reader . country ( toquery )
except Exception as e :
misperrors [ ' error ' ] = f " GeoIP resolving error: { e } "
2016-09-28 14:05:43 +02:00
return misperrors
2019-10-28 16:39:08 +01:00
r = { ' results ' : [ { ' types ' : mispattributes [ ' output ' ] , ' values ' : [ answer . country . iso_code ] } ] }
2016-12-07 14:18:21 +01:00
2016-09-28 14:05:43 +02:00
return r
2016-12-16 15:14:48 +01:00
2016-09-28 14:05:43 +02:00
def introspection ( ) :
return mispattributes
2016-12-16 15:14:48 +01:00
2016-09-28 14:05:43 +02:00
def version ( ) :
2020-02-13 11:40:22 +01:00
moduleinfo [ ' config ' ] = moduleconfig
2016-09-28 14:05:43 +02:00
return moduleinfo
