[Feature Request] Support for IPinfo's IP to Country ASN database

[abdullahdevrel]

Requesting the integration of IPinfo's IP to Country ASN database. Features of the database:

• Free as in CC-BY-SA 4.0
• Full accuracy and daily updates
• Includes IPv4 and IPv6 addresses in a single db
• Country + ASN in a single db
• Comes in MMDB format

Moreover, as the ASN information is included with the database, it could add a new dimension to the malware to the analysis as from our experience we have seen ASN tends to be a more common attribute in group malicious attacks.

As far as adopting the database, the IP to Country ASN database is flat you don't need to do deep indexing to get IP information and the database is more predictable.

Please let me know what you what you think. If you need any assistance, please let me know. Thanks.

Schema: https://ipinfo.io/developers/ip-to-country-asn-database

FIELD NAME	EXAMPLE	DATA TYPE	DESCRIPTION
start_ip	1.0.16.0	TEXT	Starting IP address of an IP address range
end_ip	1.0.31.255	TEXT	Ending IP address of an IP address range
country	JP	TEXT	ISO 3166 country code of the location
country_name	Japan	TEXT	Name of the country
continent	AS	TEXT	Continent code of the country
continent_name	Asia	TEXT	Name of the continent
asn	AS2519	TEXT	Autonomous System Number
as_name	ARTERIA Networks Corporation	TEXT	Name of the AS (Autonomous System) organization
as_domain	arteria-net.com	TEXT	Official domain or website of the AS organization

[doomedraven]

Why not use the current max mind DBS?they are supported already

El jue, 24 ago 2023, 16:25, Abdullah @.***> escribió:

Requesting the integration of IPinfo's IP to Country ASN database https://ipinfo.io/products/free-ip-database. Features of the database:

• Free as in CC-BY-SA 4.0
• Full accuracy and daily updates
• Includes IPv4 and IPv6 addresses in a single db
• Country + ASN in a single db
• Comes in MMDB format

Moreover, as the ASN information is included with the database, it could add a new dimension to the malware to the analysis as from our experience we have seen ASN tends to be a more common attribute in group malicious attacks.

As far as adopting the database, the IP to Country ASN database is flat you don't need to do deep indexing to get IP information and the database is more predictable.

Please let me know what you what you think. If you need any assistance, please let me know. Thanks.

Schema: https://ipinfo.io/developers/ip-to-country-asn-database FIELD NAME EXAMPLE DATA TYPE DESCRIPTION start_ip 1.0.16.0 TEXT Starting IP address of an IP address range end_ip 1.0.31.255 TEXT Ending IP address of an IP address range country JP TEXT ISO 3166 country code of the location country_name Japan TEXT Name of the country continent AS TEXT Continent code of the country continent_name Asia TEXT Name of the continent asn AS2519 TEXT Autonomous System Number as_name ARTERIA Networks Corporation TEXT Name of the AS (Autonomous System) organization as_domain arteria-net.com TEXT Official domain or website of the AS organization

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1714, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH35RCYZWK757DDRT22LXW5P7BANCNFSM6AAAAAA35DXGYM . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[doomedraven]

we only use geoip location to get country code. the structure of data to access CC is different, which could be just an if, but still, i don't see what value it adds. im missing something some context?

def _get_cn(self, ip):
        if proc_cfg.network.country_lookup:
            maxminddb_client = get_maxminddb_client()
            if maxminddb_client:
                try:
                    return maxminddb_client.get(ip).get("country", {}).get("names", {}).get("en", "unknown")
                except Exception:
                    log.error("Unable to resolve GEOIP for %s", ip)
        return "unknown"

so im not sure which benefits we will get from integrating another one

[abdullahdevrel]

@doomedraven That is a good question.

• Daily updates with full accuracy. That is the main benefit. MaxMind's data is updated on a biweekly basis. Also, we don't do range clustering, which is a common way to reduce accuracy for some free databases. For example, some providers geolocate down to /24 ranges for individual countries. Our free IP to Country database is a subset of the geolocation database with no compromise to accuracy.
• Inclusion of ASN information. If you are analyzing malware origins, you will find that ASN provides a more interesting insight into the source. Country to IP does provide some context. However, with TOR, VPN and hosting services being used, you can find common patterns by looking into ASN data. ASN provides information on who owns an IP range. With one db, you get both ASN and country information.

If you can share an IP log db with me, I can look into common patterns using ASN and country data.

For integrating the database, you need to use the MMDB reader library and not the client library. As the database is flat in nature, querying field information is as simple as this:

import maxminddb # pip install maxminddb

# initializing the mmdb reader object
ipinfo_reader = maxminddb.open_database("./country_asn.mmdb")

input_ip = "65.54.77.238"
ipinfo_data = ipinfo_reader.get(input_ip)

# ipinfo_data
'''
{'as_domain': 'microsoft.com',
 'as_name': 'Microsoft Corporation',
 'asn': 'AS8075',
 'continent': 'NA',
 'continent_name': 'North America',
 'country': 'US',
 'country_name': 'United States'}
'''

ipinfo_data["country"]
# US

ipinfo_data["asn"]
# AS8075

ipinfo_data["as_name"]
# 'Microsoft Corporation'

[doomedraven]

ok thanks, well this change will break all existing setups to all the users, as i don't see this as ultra important feature that should be done NOW, i will consider/play with this when i will have some spare time

[abdullahdevrel]

Oh yeah, of course. This is just a feature request. There is absolutely no rush in implementing it. Please explore the db, and if there is any question, please do not hesitate to ask. I really appreciate you considering the proposal.

I have written some posts on our community that feature the database that you might find interesting: https://community.ipinfo.io/latest

Tools to explore the db:

• https://github.com/ipinfo/python-db
• https://github.com/ipinfo/mmdbctl

[doomedraven]

Hello, with huge delay, i was able to check the databases and I love ipinfo's free database. about to merge after some testing https://github.com/kevoreilly/CAPEv2/pull/1863. Thank you for headups

[abdullahdevrel]

@doomedraven Thank you very much! We are so happy to be part of CAPEv2's ecosystem. It really means a lot to us. Thank you very much for the effort and support in integrating our database into the project.