This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Geo IP enhancement for custom IPv4 meta keys

MichaelPochan
Beginner
Beginner

‎2017-02-16 05:25 PM

We've added a couple of custom meta keys for storing IPv4 addresses aside from ip.src/dst, orig_ip, and alias.ip. We were looking for a way to initiate a MaxMind geo IP lookup for each value as it's registered by our lua parsers and store the result in a custom country code meta key (country.client, country.x-forwarded-for, country.x-originating, etc...) similar to how ip.src/dst have their geo information stored in the country.src and country.dst meta keys. 

 

Is there a way to do this with lua parsers? We've created the country.* meta keys to store the country values but aren't sure how to have the decoders perform a lookup. I know we can do it with ESA, but we'd like to perform the lookup on every IPv4 value as it comes in. Any feedback would be greatly appreciated. 

0 Likes
2 REPLIES 2

Anonymous
Not applicable

‎2017-02-20 02:59 PM

The GEOIP function uses a separate DAT file on the decoder (/etc/netwitness/ng) and only runs on ip.src or ip.dst.  Therefore, having that specific component run against other meta keys is not an option without a code change.

 

Furthermore, I don't think that a CIDR block lookup will work on a IP formatted meta key OTHER than ip.src or ip.dst.  That would exclude feeds from being an option here as well.

 

You could create a parser that would perform a meta callback against other meta keys and then build functions that could compare the IP address from the meta callback against a provided list of CIDR blocks.  Those CIDR blocks could be provided by the GEOIP information in the form of a Lua table in the parser (or even a parser options file).  However, even with that, there would be quite a bit of customization of the table to get things into a format that worked.  I think if you used the IPv4 file from Maxmind which gives you the geoname_id, that could be the resulting value from the parser.  Then, build a custom feed to convert the geoname_id into a human readable value.

0 Likes

MichaelPochan
Beginner
Beginner
In response to Anonymous

‎2017-02-21 10:55 AM

Thank you for the information Christopher. We'll plook into the last option. However, we've been able to search and write rules with CIDR blocks against our custom IPv4 meta keys. We created these specifically because orig_ip is a text variable, and CIDR searching wouldn't work with it and we couldn't override its format. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.