This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Modify Geo Location (GeoPrivate)

JayWatson
Beginner
Beginner

‎2018-03-29 10:17 AM

Hi There -

 

I have a client that is using Internet routable addressing on their private network (historical) and I'd like to change the GeoLocation in NW 10 to reflect the organization rather then leveraging default tagged country, organization, etc. For both investigations and reporting having this changed would be helpful.

 

Does anyone know if this is possible?

0 Likes
3 REPLIES 3

EricPartington
Employee
Employee

‎2018-03-29 10:28 AM

are you trying to set the direction of traffic correctly? 

are you using org.dst exists as an indicator of outbound traffic?

 

if so consider using the traffic_flow parser and then update the traffic_flow options file to mark that public range as internal and your direction will be set properly in the direction metakey (outbound, inbound, lateral).

 

the geo data from maxmind can be customized to add location for private ip addresses that will never be in the maxmind db but not sure you can override public addresses with new versions to remove/set org information to mark public ranges internal.  geoprivate.ipl on the decorders allows you to add location info for private ranges but don't think it allows override of existing maxmind db.

 

https://community.rsa.com/docs/DOC-44948

0 Likes

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-03-29 11:56 AM

I would suggest using the Geoprivate.ipl file on the decoders to see if it will override the maxmind data

Format of the geoprivate.ipl (note: blank file can be found under Decoder -> Config -> Files tab)

 

<?xml version="1.0" encoding="UTF-8"?>
<IpLocations>
 <IP city="Palo Alto, CA" country="United States" fromIP="10.0.0.0" lat="37.269174" lon="-119.306607" org="XYZ Corp" toIP="10.255.255.255"/>
</IpLocations>

0 Likes

JayWatson
Beginner
Beginner
In response to JohnSnider

‎2018-03-29 01:08 PM

Thanks for the info. I do have my traffic defined for direction and that appears to be working as required. I did add the line to GroPrivate.ipl and unfortunately it does not look like it will allow an override of the existing Maxmind data.  I will keep digging however as I suspect this isn't the first organization to come across this dilemma.

 

Thanks, Jay

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.