output-json/output-json-flow: Geoip enrichment [v2]#14567
output-json/output-json-flow: Geoip enrichment [v2]#14567jayhardee9 wants to merge 2 commits intoOISF:mainfrom
Conversation
Add GeoIP enrichment to EVE JSON output. Ticket: 6999 Co-Authored-By: Fandi Gunawan <10239907+fandigunawan@users.noreply.github.com>
Add GeoIP enrichment to flow EVE logs.
jayhardee9
requested review from
a team,
jufajardini and
victorjulien
as code owners
|
NOTE: This PR may contain new authors. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #14567 +/- ##
==========================================
+ Coverage 82.12% 82.13% +0.01%
==========================================
Files 1014 1014
Lines 262461 262445 -16
==========================================
+ Hits 215551 215568 +17
+ Misses 46910 46877 -33
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
Thanks for picking this work up!
This is a bit nitty, could you add an output sample that's a good example of what we actually get with your patch? (I say this because your changes should fix the empty geoip_dst object that we see here, for instance).
I think Jason's comment on the format isn't fully addressed, yet: #10703 (comment)
| }, | ||
| "country_iso_code": { | ||
| "type": "string" | ||
| }, | ||
| "city_name": { | ||
| "type": "string" | ||
| }, | ||
| "country_name": { | ||
| "type": "string" |
There was a problem hiding this comment.
ah, the schema-check script will complain about this, due to non-alphabetical order (as the CI shows).
To check these locally, run: ./scripts/schema-sort.py --check ./etc/schema.json
| #ifdef HAVE_GEOIP | ||
| if (cfg != NULL && cfg->geoip_enabled) { | ||
| SCGeoIPGet(jb, srcip, "geoip_src"); | ||
| SCGeoIPGet(jb, dstip, "geoip_dst"); | ||
| } | ||
| #endif /* HAVE_GEOIP */ | ||
|
|
There was a problem hiding this comment.
I would say we shouldn't change what we have in the flow header. Either we add this info further down in the header, or add this to EveAddFlow...
There was a problem hiding this comment.
Oh I see, so place those under the flow key instead?
There was a problem hiding this comment.
I'm thinking so... Let's see if we get more feedback. Any thoughts, @jasonish ?
|
Ok, after giving it some thought, I'm proposing that the schema isn't fixed at all, the reason being that the mmdb format is technically schema-less. Different mmdb products/custom ones will likely have different schemata. I propose configuring the enrichment like so (also renamed geoip -> mmdb, except for the pre-existing geoip-database: /usr/share/GeoIP/GeoLite2-Country.mmdb
outputs:
- eve-log:
mmdb-enrichment:
enabled: yes
fields:
country_iso_code: ["country", "iso_code"]
country_name: ["country", "names", "en"]So under {
"timestamp": "2025-01-15T10:30:00.000000+0000",
"src_ip": "8.8.8.8",
"dest_ip": "192.168.1.1",
"flow": {
"mmdb_src": {
"country_iso_code": "US",
"country_name": "United States"
},
...
}
}Now, if I understand the fields:
country_iso_code: ['country', 'iso_code']If the end-user specifies I'm also of the opinion that a nice-to-have would be logging warnings on startup if the field mappings don't match up with the mmdb schema -- it's an uncommon format, and a little help goes a long way (especially for those of us shipping custom mmdbs). A little bit of a pivot from the original ticket, but this approach makes more sense (to me at least). |
I'm not so sure about naming it mmdb. We should try to be somewhat generic, for the case where a future geoip implementation, which might not be MaxMind can use the same schema. I've started exploring what ECS (Elastic) and OCSF are doing for this. I have some of my own post-processing tooling that does this as well, which I based on ECS. But not sure thats the best 5 years later. But the schema is an easy thing to change as well. So wouldn't let that block fixing other issues, if any. |
3 participants
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/6999
Previous PR: #14558
Describe changes:
geoip-enrichmentoption under eve-log configuration in suricata.yamljson-outputandjson-output-flowmodules.Eve output example with enrichment
{ "timestamp": "2021-05-27T03:37:44.575843+0700", "flow_id": 2130735805455113, "pcap_cnt": 15756, "event_type": "fileinfo", "geoip_src": { "ip": "192.236.155.230", "geo": { "continent_code": "NA", "country_iso_code": "US", "city_name": "Seattle", "country_name": "United States", "continent_name": "North America", "timezone": "America/Los_Angeles", "location": { "lat": 47.4902, "lon": -122.3004 } } }, "geoip_dst": {}, "src_ip": "192.236.155.230", "src_port": 80, "dest_ip": "10.5.26.4", "dest_port": 56042, "proto": "TCP", "pkt_src": "wire/pcap", "http": { "hostname": "192.236.155.230", "url": "/images/redbutton.png", "http_user_agent": "WinHTTP loader/1.0", "http_content_type": "Content-type: application/octet-stream", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 105556 }, "app_proto": "http", "fileinfo": { "filename": "/images/redbutton.png", "gaps": false, "state": "TRUNCATED", "stored": false, "size": 102400, "tx_id": 0 } }SV_BRANCH=OISF/suricata-verify#2838