This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Geographic Information in Investigator

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-02-13 08:41 AM

Hello,

I am relying heavily on geographic information presented within Investigator, mainly source and dest city, organization and such.

Is the DB used by Investigator updated on a regular basis, and can I download the updates into my network?

I am using Investigator on a computer not connected to the internet.

 

Thank you,

 

John.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-02-14 05:24 AM

Hi John,

 

They are actually named "GeoCity.dat", "GeoCountry.dat", "GeoDomain.dat" and "GeoOrg.dat" and they normally reside on:

 

Win7     : \ProgramData\NetWitness\

Win7     : \Users\All Users\NetWitness\  (additional copy)

Win2K3 : \Documents and Settings\All Users\Application Data\NetWitness\

 

Those are the two OSes that I have immediate access to check but should give you a fairly good idea of where they live for most Windows based systems.

 

Only City and Country have Lite (i.e. free versions from MaxMind), Domain and Org are subscription only.

 

Hope that helps!

 

Regards,

 

Rui

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-02-13 09:25 PM

The GEOIP information is from maxmind- and its their free version, which is about 96% accurate or better at the time that our bundled software is released.  Given that IP addresses change over time, along with org and domain ownership, the GEOIP data does degrade over time between new software releases.  It is not updated live from within the product. 

 

You can subscribe to MaxMind's GEOIP database yourself (paid subscription I think) and update the information by updating the geoip.dat file.  See the help file in investigator for details on how to do this.

 

That said, I have found that the org.src and org.dst, and domain.src and domain.dst keys are more accurate than city source and destination information.

 

Out of curiosity, why do you rely on the GEOIP information so much for your use case?  What results are you shooting for?  There might be another way to get your goals....

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-02-14 02:38 AM

Hi Fielder, thank you very much for your reply.

However, I was unable to find the geoip.dat file anywhere, and the help file within investigator wasn't of much help.

If you could be more specfic as the what is the file name and where it is located I will be grateful.

 

John.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-02-14 05:24 AM

Hi John,

 

They are actually named "GeoCity.dat", "GeoCountry.dat", "GeoDomain.dat" and "GeoOrg.dat" and they normally reside on:

 

Win7     : \ProgramData\NetWitness\

Win7     : \Users\All Users\NetWitness\  (additional copy)

Win2K3 : \Documents and Settings\All Users\Application Data\NetWitness\

 

Those are the two OSes that I have immediate access to check but should give you a fairly good idea of where they live for most Windows based systems.

 

Only City and Country have Lite (i.e. free versions from MaxMind), Domain and Org are subscription only.

 

Hope that helps!

 

Regards,

 

Rui

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-02-14 05:44 AM

Thank you, Rui.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.