misp-modules icon indicating copy to clipboard operation
misp-modules copied to clipboard
verified publisher icon MISP

Clarify install instructions wrt GeoIP

Open StefanKelm opened this issue 8 years ago • 4 comments

When following the current install instructions:

sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
sudo vi /etc/rc.local, add this line: `sudo -u www-data misp-modules -s &`
misp-modules #to start the modules

the GeoIP module will not be functioning for two reasons:

  • the file geoip_country.cfg is not being copied to the file system at /usr/...
  • the file GeoIP.dat is not being installed at the location corresponding to geoip_country.cfg

Suggest to clarify install instructions, or can this be handled by sudo pip3 install ?

StefanKelm avatar Dec 13 '17 13:12 StefanKelm

Has anyone been able to get results out of this module? I have tried dozens of different IP addresses but the module always returns empty "Enrichment results".

I'm running the module against the file mentioned within geoip_country.py (http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz) and I'm pretty sure the module is able to open GeoIP.dat (if the file is not there the module always returns "GeoIP resolving error").

Furthermore, every enrichment query is successfully logged to the console via log.debug(toquery)

(I've also tried against the newer GeoLite2 database which doesn't work w/ the module)

StefanKelm avatar Dec 15 '17 14:12 StefanKelm

I've now been able to narrow down the problem. The GeoIP module actually is working but only in hover mode, not in expansion mode:

hover

expansion According to the source code the module should be working in both modes:

moduleinfo = {'version': '0.1', 'author': 'Andreas Muehlemann',
              'description': 'Query a local copy of Maxminds Geolite database',
              'module-type': ['expansion', 'hover']}

StefanKelm avatar Dec 20 '17 13:12 StefanKelm

I have the same problem with Geo_IP. How did you configure the "Plugin.Enrichment_reversedns_nameserver" ?

p3tr0v avatar Jan 31 '18 16:01 p3tr0v

Good point, it won't work in normal expansion as the output is freetext which is just giving a raw text with the country-code won't be parser by the parser.

Maybe the best would be to have the geolocation object created and linked back to the attributes. But we need to update the modules to fully support objects in misp-modules, this is an ongoing project.

adulau avatar Jan 31 '18 20:01 adulau