ASN name shows "unknown" when using GeoLite2-ASN

Hello!

I’ve noticed that periodically my Elastiflow ECS results when shown in Kibana will show “unknown” for an ASN’s name next to the ASN itself, while the MaxMind database on the same host reports the correct name. From what’s I’ve noticed, this occurs only with specific ASNs, meanwhile everything else populates without issue.

For example, you would generally expect a result of “ACME Inc (65534)” when viewing the AS traffic dashboard if the maxmind dashboard reports ACME Inc as the organization for AS65534, however the actual result in the dashboard shows as “unknown (65534)”.

Upgrading to flowcoll 7.20.0 doesn’t seem to resolve the issue either, which has me perplexed as to what exactly is occurring.

I’d greatly appreciate some assistance in tracking down the source of this somewhat niche issue, as the flowcoll logs don’t seem to give anything useful for ip or asn enrichment in terms of errors.

Thanks in advance!

Hi!

I’m a little unclear on what you mean by “the maxmind dashboard”, can you attach some screenshots?

Is this a native or docker install?

Also, what are the ASN related settings in flowcoll.yml, and how current is the GeoLite2-ASN.mmdb file that the flow collector is using?

EF_PROCESSOR_ENRICH_ASN_PREF: lookup
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE: “true”
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_PATH: /etc/elastiflow/maxmind/GeoLite2-ASN.mmdb
EF_PROCESSOR_ENRICH_JOIN_ASN: “true”

Regards,

Dexter

This is my bad, I was referring to mmdbinspect which can query the database file directly via CLI.

Native on Debian 12.

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE: "true"
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_PATH: /volumes/maxmind/geoip2/GeoLite2-ASN.mmdb
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE: "true"
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_PATH: ""
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE: 15
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_LANG: en
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_PATH: /volumes/maxmind/geoip2/GeoLite2-City.mmdb
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_VALUES: city,country,country_code,location,timezone

Very recent, freshly downloaded from the Maxmind site.

I did notice that your example has some added variables such as EF_PROCESSOR_ENRICH_ASN_PREF and EF_PROCESSOR_ENRICH_JOIN_ASN, should I be using these on flowcoll 7.20.0 as well?

The defaults are probably fine for those two settings and everything looks correct with what you have provided.

I’m not sure what else could be the issue. Can you share the full JSON of a record that has the ‘unknown’ ASN tag?

Regards,

Dexter

Here’s the JSON for a record that shows it https://haste.accuris.ca/raw/noqekuqubori

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.