search

maxmind / mmdb-from-go-blogpost

Enriching MMDB files with your own data using Go.
https://blog.maxmind.com/2020/09/01/enriching-mmdb-files-with-your-own-data-using-go/
Apache License 2.0
23 stars 7 forks source link

Splunk can't load the updated mmdb file #23

Closed DVRusak closed 6 months ago

DVRusak commented 6 months ago

In general, the situation is this: I use mmdb to determine the ip location in traffic in Splunk using the module | iplocation.

When you load a regular mmdb without changes, it loads well. well

When you load an mmdb file processed by the library, it’s a completely different bad outcome. bad

Those. In general, I simply took and rewrote mmdb without making changes, and still Splunk did not want to accept it.

Question: what does the library do that makes Splunk stop accepting the file??? (If you look at the metadata, only build_epoch changes. The file size does not change.)

Code for just rewrite mmdb: package main

import ( "log" "os"

"github.com/maxmind/mmdbwriter"

)

func main() {

// Load the database we wish to enrich.
var path_to_db string
path_to_db = "test/GeoLite2-City.mmdb"

writer, err := mmdbwriter.Load(path_to_db, mmdbwriter.Options{})
if err != nil {
    log.Fatal(err)
}

// Write the newly enriched DB to the filesystem.
fh, err := os.Create("test/GeoLite2-City1.mmdb")
if err != nil {
    log.Fatal(err)
}
_, err = writer.WriteTo(fh)
if err != nil {
    log.Fatal(err)
}

}

DVRusak commented 6 months ago

If you look in the WinMerge program, the differences are in two memes in one line image

oschwald commented 6 months ago

The official MMDB is also written with this library. Does Splunk provide a particular error?

DVRusak commented 6 months ago

There may be some additional information in the logs, but you need to know where to look

image

The error in the screenshot occurs if the raw mmdb is replaced in the Splunk files with a custom version.

Accordingly, if the replacement is made through the web console, then Splunk will not allow you to download this file

DVRusak commented 6 months ago

The problem was solved after manually replacing the string element " w" with "Ben" (marked in yellow in the last screenshot)

Moreover, if you use lookups in python and go languages, then there will be no difference in the metadata when reading. But in the hex editor the difference is visible, and not only in build_epoch. image

Apparently Splunk cannot read the slightly different mmdb metadata structure.

solwed

oschwald commented 6 months ago

I am guessing the issue is that Splunk is using an old version of libmaxminddb that does not correctly handle pointers in the metadata. You can disable these with the DisableMetadataPointers option.