cscli parsers install crowdsecurity/geoip-enrich
The GeoIP module relies on geolite database to provide enrichment on source ip.
The following informations will be added to the event :
Meta.IsoCode
: two-letters country codeMeta.IsInEU
: a boolean indicating if IP is in EUMeta.GeoCoords
: latitude & longitude of IPMeta.ASNNumber
: Autonomous System NumberMeta.ASNOrg
: Autonomous System NameMeta.SourceRange
: The public range to which the IP belongsThis configuration includes GeoLite2 data created by MaxMind available from https://www.maxmind.com, it includes two data files:
1filter: |2 let ipv6Check = IsIPV6(evt.Meta.source_ip);3 "source_ip" in evt.Meta &&4 (5 not ipv6Check &&6 not (IpInRange(evt.Meta.source_ip, "127.0.0.0/8") || IpInRange(evt.Meta.source_ip, "192.168.0.0/16") || IpInRange(evt.Meta.source_ip, "172.16.0.0/12") || IpInRange(evt.Meta.source_ip, "10.0.0.0/8"))7 ) ||8 (9 ipv6Check &&10 not (IpInRange(evt.Meta.source_ip, "::1/128") || IpInRange(evt.Meta.source_ip, "fd00::/8") || IpInRange(evt.Meta.source_ip, "fc00::/7"))11 )1213name: crowdsecurity/geoip-enrich14description: "Populate event with geoloc info : as, country, coords, source range."15data:16 - source_url: https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb17 dest_file: GeoLite2-City.mmdb18 - source_url: https://hub-data.crowdsec.net/mmdb_update/GeoLite2-ASN.mmdb19 dest_file: GeoLite2-ASN.mmdb20statics:21 - method: GeoIpCity22 expression: evt.Meta.source_ip23 - meta: IsoCode24 expression: evt.Enriched.IsoCode25 - meta: IsInEU26 expression: evt.Enriched.IsInEU27 - meta: GeoCoords28 expression: evt.Enriched.GeoCoords29 - method: GeoIpASN30 expression: evt.Meta.source_ip31 - meta: ASNNumber32 expression: evt.Enriched.ASNNumber33 - meta: ASNOrg34 expression: evt.Enriched.ASNOrg35 - method: IpToRange36 expression: evt.Meta.source_ip37 - meta: SourceRange38 expression: evt.Enriched.SourceRange39