def __init__(self):
'''register our criteria for being passed a message
as a list of lower case strings or values to match with an event's dictionary of keys or values
set the priority if you have a preference for order of plugins to run.
0 goes first, 100 is assumed/default if not sent
'''
self.registration = ['sourceipaddress', 'destinationipaddress']
self.priority = 20
geoip_data_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), "../../data/GeoLite2-City.mmdb")
self.geoip = GeoIP(geoip_data_dir)
def save_db_data(save_path, db_data):
temp_save_path = save_path + ".tmp"
logger.debug("Saving db data to " + temp_save_path)
with open(temp_save_path, "wb+") as text_file:
text_file.write(db_data)
logger.debug("Testing temp geolite db file")
geo_ip = GeoIP(temp_save_path)
# Do a generic lookup to verify we don't get any errors (malformed data)
geo_ip.lookup_ip('8.8.8.8')
logger.debug("Moving temp file to " + save_path)
os.rename(temp_save_path, save_path)
def save_db_data(save_path, db_data):
temp_save_path = save_path + ".tmp"
logger.debug("Saving db data to " + temp_save_path)
with open(temp_save_path, "wb+") as text_file:
text_file.write(db_data)
logger.debug("Testing temp geolite db file")
geo_ip = GeoIP(temp_save_path)
# Do a generic lookup to verify we don't get any errors (malformed data)
geo_ip.lookup_ip('8.8.8.8')
logger.debug("Moving temp file to " + save_path)
os.rename(temp_save_path, save_path)
def ipLocation(ip):
location = ""
try:
geoip_data_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), "../data/GeoLite2-City.mmdb")
geoip = GeoIP(geoip_data_dir)
geoDict = geoip.lookup_ip(ip)
if geoDict is not None:
if 'error' in geoDict:
return geoDict['error']
location = geoDict['country_name']
if geoDict['country_code'] in ('US'):
if geoDict['metro_code']:
location = location + '/{0}'.format(geoDict['metro_code'])
except Exception:
location = ""
return location
def ip_location(ip):
location = ""
try:
geoip_data_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), "../../../data/GeoLite2-City.mmdb")
geoip = GeoIP(geoip_data_dir)
geo_dict = geoip.lookup_ip(ip)
if geo_dict is not None:
if 'error' in geo_dict:
return geo_dict['error']
location = geo_dict['country_name']
if geo_dict['country_code'] in ('US'):
if geo_dict['metro_code']:
location = location + '/{0}'.format(geo_dict['metro_code'])
except Exception:
location = ""
return location
class message(object):
def __init__(self):
'''register our criteria for being passed a message
as a list of lower case strings or values to match with an event's dictionary of keys or values
set the priority if you have a preference for order of plugins to run.
0 goes first, 100 is assumed/default if not sent
'''
self.registration = ['sourceipaddress', 'destinationipaddress']
self.priority = 20
geoip_data_dir = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"../../data/GeoLite2-City.mmdb")
self.geoip = GeoIP(geoip_data_dir)
def ipLocation(self, ip):
location = dict()
try:
geoDict = self.geoip.lookup_ip(ip)
if geoDict is not None:
return geoDict
else:
location['location'] = 'unknown'
except ValueError:
pass
return location
def onMessage(self, message, metadata):
if 'details' in message:
if 'sourceipaddress' in message['details']:
ipText = message['details']['sourceipaddress']
if isIP(ipText):
ip = netaddr.IPNetwork(ipText)[0]
if (not ip.is_loopback() and not ip.is_private()
and not ip.is_reserved()):
'''lookup geoip info'''
message['details'][
'sourceipgeolocation'] = self.ipLocation(ipText)
else:
# invalid ip sent in the field
# if we send on, elastic search will error, so set it
# to a valid, yet meaningless value
message['details']['sourceipaddress'] = '0.0.0.0'
if 'destinationipaddress' in message['details']:
ipText = message['details']['destinationipaddress']
if isIP(ipText):
ip = netaddr.IPNetwork(ipText)[0]
if (not ip.is_loopback() and not ip.is_private()
and not ip.is_reserved()):
'''lookup geoip info'''
message['details'][
'destinationipgeolocation'] = self.ipLocation(
ipText)
else:
# invalid ip sent in the field
# if we send on, elastic search will error, so set it
# to a valid, yet meaningless value
message['details']['destinationipaddress'] = '0.0.0.0'
return (message, metadata)
def save_db_data(db_file, db_data):
save_path = path.join(options.db_store_location, db_file)
fd, temp_path = mkstemp(suffix='.tmp',
prefix=db_file,
dir=options.db_store_location)
with open(temp_path, 'wb') as temp:
logger.debug("Saving db data to " + temp_path)
temp.write(db_data)
fsync(temp.fileno())
temp.flush()
logger.debug("Testing temp geolite db file")
geo_ip = GeoIP(temp_path)
# Do a generic lookup to verify we don't get any errors (malformed data)
geo_ip.lookup_ip('8.8.8.8')
logger.debug("Moving temp file to " + save_path)
close(fd)
rename(temp_path, save_path)
def test_without_db_file(self):
geo_ip = GeoIP("nonexistent_db")
geo_dict = geo_ip.lookup_ip('129.21.1.40')
assert geo_dict['error'] == 'No Geolite DB Found!'
