No entries found for ASN zone – change in data source

3 posts Page 1 of 1
BallyBasic79
Junior Member
Posts: 24
Joined: 22 Aug 2019, 21:43


Today I was delighted to realize that one can enter ASNs in the firewall and the respective ranges will be looked up and added. I had been looking up and adding ranges manually which is quite time consuming. But I was disappointed when it didn't work:
Aug 28 15:43:28 server lfd[31789]: CC: Retrieving GeoLite2 CSV ASN database [http://geolite.maxmind.com/download/geo ... SN-CSV.zip]
Aug 28 15:43:29 server lfd[31789]: CC: Processing GeoLite2 CSV Country/ASN database
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [205727]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [205727] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [397086]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [397086] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [46573]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [46573] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [31034]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [31034] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [199653]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [199653] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [199883]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [199883] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [TR]
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [202242]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [202242] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [PA]
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [200185]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [200185] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [BR]
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [30548]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [30548] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [54290]
Aug 28 15:43:33 server lfd[31789]: CC: No entries found for [54290] in /var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv
Aug 28 15:43:33 server lfd[31789]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [BG]
Aug 28 15:43:34 server lfd[31790]: CCL: Retrieving GeoLite2 ASN database [http://geolite.maxmind.com/download/geo ... SN-CSV.zip]
Aug 28 15:43:34 server lfd[31790]: CCL: Retrieving GeoLite2 City database [http://geolite.maxmind.com/download/geo ... ty-CSV.zip]
Aug 28 15:43:40 server lfd[31790]: CCL: Retrieved GeoLite2 IP database
I happened to have a copy of the GeoLite2 ASN CSV open and noticed that the ASNs are listed as digits only – no "AS" prefix.

Looking in lfd.pl on line 5193 in the countrycode subroutine (highlighted below), the letters "AS" are prefixed to the search term.
Code: Select all
			open ($IN, "<", "/var/lib/csf/Geo/GeoLite2-ASN-Blocks-IPv4.csv");
			flock ($IN, LOCK_SH);
			while (my $record = <$IN>) {
				chomp $record;
				$record =~ s/\"//g;
				my ($range,$asn,undef) = split (/\,/,$record);
				foreach my $cc (keys %cclist) {
>>line 5193			if (uc($cc) =~ /AS(\d+)/) {
						if ($1 eq $asn) {
							$dcidr{$cc}{$range} = 1;
						}
					}
				}
			}
I removed the letters "AS" and restarted CSF. Consequently, the ASNs were found and the zones were appropriately created.
Aug 28 16:14:25 server lfd[3305]: CC: Processing GeoLite2 CSV Country/ASN database
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [205727]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [46573]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [199653]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [397086]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [54290]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [199883]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [31034]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [200185]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [202242]
Aug 28 16:14:30 server lfd[3305]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [30548]
I am guessing that the MaxMind GeoLite2 Country database listed ASNs with the AS prefix until sometime recently.

Feel free to let me know if you have any other questions or concerns. Thanks for the great product!
ForumAdmin
Moderator
Posts: 1435
Joined: 01 Oct 2008, 09:24


You're miss-reading the code a little. csf expects the format of the ASN listed in the CC_* options to be ASnnnn (i.e. how it is formatted in whois). We'll update csf.conf to make this clear.
BallyBasic79
Junior Member
Posts: 24
Joined: 22 Aug 2019, 21:43


Thank you for the information. There is no doubt that the code in csf is expecting the ASN to be listed in ASnnnn format. That is how I read it as well.

There does appear to be doubt about the expected format of the ASN data provided in the GeoLite2 ASN CSV Database. This week's file provides the ASNs in integer format with no AS prefix. Maxmind's GeoLite2 ASN CSV Database product page lists the field definition as:
autonomous_system_number string The autonomous system number associated with the IP address.
This wasn't quite clear to me so I submitted a support request with Maxmind to confirm the format and if it has changed recently. I received the following:
Thank you for your reply. I believe the GeoLite2 ASN database format would be 12345. The full output of possible data in the GeoLite2 ASN CSV Database should be: IP address, ASN, Organization (Ex: 00.00.000.0, 12345, "Organization").
I don't have, nor do they provide, previous copies of the GeoLite2 ASN CSV Database to verify the ASN format. According to the current data, there is no AS prefix. They did not say anything about the format changing.

So, I do have confusion. The code expects AS prefix and surely the data source came that way when this feature was coded or it wouldn't have worked. But when did it change and how am I the first one reporting it? Is the feature not used by many? Or do people think it works and not notice the "No entries found for..." log messages? I thought this was a fairly simple case of the import data source changing their format, causing the existing code to malfunction. What else am I missing?

Thanks.
3 posts Page 1 of 1