Feature #4649
openAutonomous System Number (ASN) support similar to GeoIP
Description
Request is to introduce a new keyword which leverages the MaxMind GeoIP ASN database similar to that of the current "geoip" keyword.
The keyword should also allow for negations.
This keyword is useful for detecting host name impersonation such as the following:
http.host; content:".azure.com"; endswith; asn:!dst,398656,398575;
The optional "org" argument could allow the AS Organization to be inspected instead of the AS number itself, useful with an org has many different ASNs
http.host; content:".azure.com"; endswith; asn:!dst,org Microsoft Corporation;
I provide the above only as examples, I'm not too concerned about the specific keyword format.
Documentation on the GeoIP ASN Database can be found here - https://dev.maxmind.com/geoip/docs/databases/asn?lang=en
Updated by Michael Tremer over 3 years ago
Hello Brandon,
Victor made me aware of this ticket when we were discussing integrating the IPFire Location database into suricata (https://location.ipfire.org).
We have this data available in the database and querying is fast so that we could easily implement this.
Matching the ASN is absolutely no problem.
The organization is probably not so easy, because we cannot always rely on the string. They change often and use different abbreviations ("Inc.", or "Ltd." vs "Limited"). Making this work reliably is probably going to be difficult.
Updated by Brandon Murphy over 3 years ago
They change often and use different abbreviations ("Inc.", or "Ltd." vs "Limited"). Making this work reliably is probably going to be difficult.
I would imagine these are localized to specific organizations though. While Github might always use "Github Inc." I would be surprised if they vary from that. Additionally, much like the GeoIP feature supports multiple countries treated as a logical OR, perhaps we can do the same here and allow the signature writer to cover those variants?
Updated by Michael Tremer over 3 years ago
I have submitted a draft pull request for the geoip implementation. If that receives good feedback and is being merged I would be happy to consider adding ASN support into the module:
Updated by Michael Tremer about 3 years ago
I had a look at what data we have in our database. For "GitHub Inc." is looks like this:
root@michael:/build/location-database# git grep -i github database.txt:name: GITHUB
Workable I would say. However Google looks like this:
root@michael:/build/location-database# git grep -i google database.txt:name: GOOGLE-FIBER database.txt:name: GOOGLE database.txt:name: GOOGLE-PRIVATE-CLOUD database.txt:name: GOOGLE-FIBER database.txt:name: GOOGLE-FIBER database.txt:name: GOOGLE-2 database.txt:name: GOOGLE database.txt:name: AS-GOOGLE-EDGE-INFRA database.txt:name: GOOGLE-CLOUD-2 database.txt:name: GOOGLE database.txt:name: GOOGLE-IT database.txt:name: GOOGLE-IT database.txt:name: GOOGLEWIFI database.txt:name: Google Kenya Limited database.txt:name: Google Switzerland GmbH database.txt:name: Google Ireland Limited database.txt:name: Google India Pvt. Ltd. database.txt:name: GOOGLE-CLOUD database.txt:name: Google Asia Pacific Pte. Ltd. database.txt:name: Google Asia Pacific Pte. Ltd. database.txt:name: GOOGLE database.txt:name: GOOGLE database.txt:name: GOOGLE-ACCESS-NYC database.txt:name: GOOGLE-2 database.txt:name: GOOGLE-PRIVATE-CLOUD
These are taken from the text dump of the IPFire Location database.
Maybe Google is a bad example since it is such a large organisation which has grown through acquisitions and had to merge it all together in one way or another.
Here are some more:
root@michael:/build/location-database# git grep -i facebook database.txt:name: FACEBOOK database.txt:name: FACEBOOK-CORP database.txt:name: FACEBOOK-OFFNET
root@michael:/build/location-database# git grep -i linkedin database.txt:name: LINKEDIN database.txt:name: LINKEDIN database.txt:name: LINKEDIN database.txt:name: LINKEDIN-1 database.txt:name: LINKEDIN database.txt:name: LINKEDIN database.txt:name: Linkedin Singapore Pte. Ltd database.txt:name: Linkedin Singapore Pte. Ltd database.txt:name: Beijing LinkedIn Information Technology Co.,Ltd database.txt:name: LinkedIn Corporation database.txt:name: LinkedIn Corporation database.txt:name: LinkedIn Austria GmbH
root@michael:/build/location-database# git grep -i netflix database.txt:name: NETFLIX-ASN database.txt:name: Netflix Durga Webtech Pvt Ltd
root@michael:/build/location-database# git grep -i akamai database.txt:name: AKAMAI database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-NOMINUM-ASN database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-AS database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-NOMINUM-ASN database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-AS database.txt:name: Akamai Technologies, Inc. database.txt:name: Akamai Technologies, Inc. database.txt:name: AKAMAI-NOMINUM-ASN database.txt:name: AKAMAI-AS database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: AKAMAI-INSTART-ASN database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-AS database.txt:name: AKAMAI-AS database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Open Akamai Indonesia database.txt:name: Akamai Technologies, Inc. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: Akamai Technologies, Inc. database.txt:name: Akamai Technologies, Inc. database.txt:name: Akamai Technologies, Inc. database.txt:name: Akamai International B.V. database.txt:name: Akamai International B.V. database.txt:name: AKAMAI-TEST
I would not consider it practical to match regular expressions to have the option for "OR" or a lot of flexibility in general. Matching ASNs only would be a deterministic way that is performing well with loads of traffic.
Would you be able to sponsor this feature?
Updated by Brandon Murphy almost 3 years ago
- Tracker changed from Bug to Feature
Updated by Victor Julien over 1 year ago
- Assignee set to Community Ticket
- Target version set to TBD