MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

updated to geoip2 to support mmdb format

pull/345/head
milkmix 2019-10-25 18:09:44 +02:00
parent e1602fdca9
commit bdc5282e09
3 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
REQUIREMENTS
View File

@ -46,7 +46,7 @@ pdftotext==2.1.1
pillow==6.0.0 pillow==6.0.0
psutil==5.6.2 psutil==5.6.2
pyeupi==1.0 pyeupi==1.0
pygeoip==0.3.2 geoip2==2.9.0
pyparsing==2.4.0 pyparsing==2.4.0
pypdns==1.4.1 pypdns==1.4.1
pypssl==2.1 pypssl==2.1

3
misp_modules/modules/expansion/geoip_country.cfg
View File

@ -1,3 +1,2 @@
[GEOIP] [GEOIP]
database = /opt/misp-modules/var/GeoIP.dat database = /opt/misp-modules/var/Geo2-Country.mmdb

12
misp_modules/modules/expansion/geoip_country.py
View File

@ -1,5 +1,5 @@
import json import json
import pygeoip import geoip2.database
import sys import sys
import os import os
import logging import logging
@ -17,15 +17,15 @@ misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']} mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
# possible module-types: 'expansion', 'hover' or both # possible module-types: 'expansion', 'hover' or both
moduleinfo = {'version': '0.1', 'author': 'Andreas Muehlemann', moduleinfo = {'version': '0.2', 'author': 'Andreas Muehlemann',
'description': 'Query a local copy of Maxminds Geolite database', 'description': 'Query a local copy of Maxminds Geolite database, updated for MMDB format',
'module-type': ['expansion', 'hover']} 'module-type': ['expansion', 'hover']}
try: try:
# get current db from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz # get current db from https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz
config = configparser.ConfigParser() config = configparser.ConfigParser()
config.read(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'geoip_country.cfg')) config.read(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'geoip_country.cfg'))
gi = pygeoip.GeoIP(config.get('GEOIP', 'database')) gi = geoip2.database.Reader(config.get('GEOIP', 'database'))
enabled = True enabled = True
except Exception: except Exception:
enabled = False enabled = False
@ -48,7 +48,7 @@ def handler(q=False):
log.debug(toquery) log.debug(toquery)
try: try:
answer = gi.country_code_by_addr(toquery) answer = (gi.country(toquery)).country.iso_code
except Exception: except Exception:
misperrors['error'] = "GeoIP resolving error" misperrors['error'] = "GeoIP resolving error"
return misperrors return misperrors