bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/pkg/parser/enrich_geoip.go (about) 1 package parser 2 3 import ( 4 "fmt" 5 "net" 6 "strconv" 7 8 "bitbucket.org/Aishee/synsec/pkg/types" 9 log "github.com/sirupsen/logrus" 10 11 "github.com/oschwald/geoip2-golang" 12 "github.com/oschwald/maxminddb-golang" 13 //"bitbucket.org/Aishee/synsec/pkg/parser" 14 ) 15 16 type GeoIpEnricherCtx struct { 17 dbc *geoip2.Reader 18 dba *geoip2.Reader 19 dbraw *maxminddb.Reader 20 } 21 22 /* All plugins must export a list of function pointers for exported symbols */ 23 var ExportedFuncs = []string{"GeoIpASN", "GeoIpCity"} 24 25 func IpToRange(field string, p *types.Event, ctx interface{}) (map[string]string, error) { 26 var dummy interface{} 27 ret := make(map[string]string) 28 29 if field == "" { 30 return nil, nil 31 } 32 ip := net.ParseIP(field) 33 if ip == nil { 34 log.Infof("Can't parse ip %s, no range enrich", field) 35 return nil, nil 36 } 37 net, ok, err := ctx.(GeoIpEnricherCtx).dbraw.LookupNetwork(ip, &dummy) 38 if err != nil { 39 log.Errorf("Failed to fetch network for %s : %v", ip.String(), err) 40 return nil, nil 41 } 42 if !ok { 43 log.Debugf("Unable to find range of %s", ip.String()) 44 return nil, nil 45 } 46 ret["SourceRange"] = net.String() 47 return ret, nil 48 } 49 50 func GeoIpASN(field string, p *types.Event, ctx interface{}) (map[string]string, error) { 51 ret := make(map[string]string) 52 if field == "" { 53 return nil, nil 54 } 55 56 ip := net.ParseIP(field) 57 if ip == nil { 58 log.Infof("Can't parse ip %s, no ASN enrich", ip) 59 return nil, nil 60 } 61 record, err := ctx.(GeoIpEnricherCtx).dba.ASN(ip) 62 if err != nil { 63 log.Errorf("Unable to enrich ip '%s'", field) 64 return nil, nil 65 } 66 ret["ASNNumber"] = fmt.Sprintf("%d", record.AutonomousSystemNumber) 67 ret["ASNOrg"] = record.AutonomousSystemOrganization 68 log.Tracef("geoip ASN %s -> %s, %s", field, ret["ASNNumber"], ret["ASNOrg"]) 69 return ret, nil 70 } 71 72 func GeoIpCity(field string, p *types.Event, ctx interface{}) (map[string]string, error) { 73 ret := make(map[string]string) 74 if field == "" { 75 return nil, nil 76 } 77 ip := net.ParseIP(field) 78 if ip == nil { 79 log.Infof("Can't parse ip %s, no City enrich", ip) 80 return nil, nil 81 } 82 record, err := ctx.(GeoIpEnricherCtx).dbc.City(ip) 83 if err != nil { 84 log.Debugf("Unable to enrich ip '%s'", ip) 85 return nil, nil 86 } 87 ret["IsoCode"] = record.Country.IsoCode 88 ret["IsInEU"] = strconv.FormatBool(record.Country.IsInEuropeanUnion) 89 ret["Latitude"] = fmt.Sprintf("%f", record.Location.Latitude) 90 ret["Longitude"] = fmt.Sprintf("%f", record.Location.Longitude) 91 92 log.Tracef("geoip City %s -> %s, %s", field, ret["IsoCode"], ret["IsInEU"]) 93 94 return ret, nil 95 } 96 97 /* All plugins must export an Init function */ 98 func GeoIpInit(cfg map[string]string) (interface{}, error) { 99 var ctx GeoIpEnricherCtx 100 var err error 101 ctx.dbc, err = geoip2.Open(cfg["datadir"] + "/GeoLite2-City.mmdb") 102 if err != nil { 103 log.Debugf("couldn't open geoip : %v", err) 104 return nil, err 105 } 106 ctx.dba, err = geoip2.Open(cfg["datadir"] + "/GeoLite2-ASN.mmdb") 107 if err != nil { 108 log.Debugf("couldn't open geoip : %v", err) 109 return nil, err 110 } 111 112 ctx.dbraw, err = maxminddb.Open(cfg["datadir"] + "/GeoLite2-ASN.mmdb") 113 if err != nil { 114 log.Debugf("couldn't open geoip : %v", err) 115 return nil, err 116 } 117 118 return ctx, nil 119 }