Reference a known malicious CSV list of I.P Addresses


(Ayoola Ayooluwa) #1

Hi, is it possible to reference a list on graylog. what i want to do is to compare my source addresses with a list of known malicious addresses i already have on a CSV file. In short, what i want to do is check if my source addresses are accessing any of the malicious addresses.

Thanks


(Jochen) #2

http://docs.graylog.org/en/2.3/pages/lookuptables.html


(Ayoola Ayooluwa) #3

Thanks, i have read about it and i just tried implementing it. but it aint working still. Pls what exactly is wrong? Below are the screenshots

  1. screenshot of the csv file

image

  1. Data Adapter

  2. Look up table

image


(Jochen) #4

What’s the actual content of the file?


(Ayoola Ayooluwa) #5

suspected malicious i.p addresses and i have close to 2000 rows.


(Ayoola Ayooluwa) #6

For the Quote Character field, i used a space. whereas, the next i.p to check is on the next line. hope it isnt wrong?


(Jochen) #7

Please provide examples. And a screenshot of Excel is not an example.

Just leave the default value (double quote).


(Jan Doberstein) #8

Maybe for clarification:

The Lookup is a Key-Value lookup. In your case could be the value a second column that just contains “true” or what ever indicate. Then you can lookup the IP in the ipaddr column and the value need to be read from a second column. Having the key and the value in the same is currently not supported by the csv lookup adapter.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.