Wazuh-indexer ingest-geoip module is using outdated maxmind's databases.

[ArielIvanOjeda]

Wazuh version	Install type	Action performed	Platform
4.3.1-rev4311	Wazuh-indexer	Install	CentOS 7

The ingest-geoip module is using an outdated database and this causes some alerts to be indexed with incorrect Geolocation information. This was also tested in 4.3.10 and the same behavior can be observed.

Below you can find a couple of sample IPs, they are from the US but they are reported as UK and German IPs.

To Reproduce
Steps to reproduce the behavior:

1. I used these events to do some testing:

Dec 26 13:34:10 wazuh-server sshd[3223]: Accepted password for wazuh-user from 45.86.208.10 port 52360 ssh2
Dec 26 13:34:10 wazuh-server sshd[3223]: Accepted password for wazuh-user from 185.38.240.10 port 52360 ssh2

I added them to a local file in my lab:
/var/ossec/logs/testlog.log

I added the corresponding localfile configuration block to capture the events from the file:

  <localfile>
    <location>/var/ossec/logs/testlog.log</location>
    <log_format>syslog</log_format>
  </localfile>

The events are matched by rule 5715, and the srcip field is used to gather the GeoIP information, including the country.

Expected behavior
Both sample events should be reported as IPs from the US.

Current behavior
One of the IPs is reported as from the UK and the other as from Germany.

Please let me know if you need anything else.

[ArielIvanOjeda]

A workaround that I found was to manually update the databases with the latest versions found in the website.

• I created an account here GeoLite2 Sign Up - MaxMind and downloaded the databases in GZIP format.

• I stopped the wazuh-indexer service systemctl stop wazuh-indexer

• In the /usr/share/wazuh-indexer/modules/ingest-geoip/ folder I moved the three following files to a backup folder:
  

• Extracted the same three files from the GZIP files downloaded from MaxMind's website.

• Changed the ownership and permissions of the files to match the original files.
  chown wazuh-indexer:wazuh-indexer /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-*
chmod 640 /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-*

• Started the wazuh-indexer service again systemctl start wazuh-indexer

• Same IPs from the examples, after updating the databases:
  

Best regards,

Ariel.

[DFolchA]

Update

We have found the following utility to update the DB easier:
https://github.com/maxmind/geoipupdate/releases/tag/v5.1.1

We could use it during the creation of the Wazuh indexer base, and this way we can include the latest version of the DB in each package.

To use this we just need an account in the MaxMind web, and finally, we have to set the configuration file with the account ID and the licence number generated for the account:

# GeoIP.conf file for `geoipupdate` program, for versions >= 3.1.1.
# Used to update GeoIP databases from https://www.maxmind.com.
# For more information about this config file, visit the docs at
# https://dev.maxmind.com/geoip/updating-databases.

# `AccountID` is from your MaxMind account.
AccountID <ID>

# `LicenseKey` is from your MaxMind account
LicenseKey <LICENSE>

# `EditionIDs` is from your MaxMind account.
EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country

Finally, run the following command:

geoipupdate -d /usr/share/wazuh-indexer/modules/ingest-geoip/

Other options would be to include the geoipupdate utility inside the package so the user can update the DB whenever they need or to indicate in the documentation how to update it.

[gdiazlo]

OpenSearch is working on a way to manage the auto-update of the maxmind database with a refactor of the GeoIP code. This is expected to land in OpenSearch 2.10 as per opensearch-project/documentation-website#3524 (comment)

The parent OpenSearch issue is opensearch-project/OpenSearch#5856

I'll block this until the new code lands in the upstream OpenSearch.

[AlexRuiz7]

Feature will be included in 4.8.0, which uses Opensearch 2.10.0. Closing it.