Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Arkime has its geoip database (see arkime/scripts/arkime_update_geo.sh) and logstash uses the geoip filter (see logstash/pipelines/beats/12_lookups.conf and logstash/pipelines/enrichment/11_lookups.conf), but they don't necessarily use the same database.
We should standardize:
Where these databases (the mmdb files) come from, probably just pull them once outside of the containers' Dockerfiles build and then include them into the docker containers rather than pull them as part of the Dockerfile
Coordinate periodic updates (this is a bit tricker, where do the files get stored?)
examine other uses of GeoIP if any (I don't think we're doing it with Zeek, as we're pushing that off to logstash)
mmguero
commented
1 week ago 