I’ve been using the threatintel plugin, to build out a SIEM product, for the consideration of our business.
Everything has been working fine, with the exception of WHOIS lookups.
At first, I was getting “N/A” for every country code and organization; this was simply due to TCP-43 not being open on our firewalls.
Now the rules are in place, what I’m seeing is partial-success, where around 50% of the lookups are being completed, but the other 50% are still showing as “N/A” (this is ignoring RFC 1918 addresses - these are ALL external addresses which I can manually look-up successfully).
I can’t see anything in the logs (prior to having port 43 open, I was seeing a lookup error, now there’s nothing).
Has this behavior been noted by anyone else? Is there anywhere specifically I should look? Or is this never likely to be viable. Since my OTX lookups are ALL working, it seems odd that there’s a timeout issue. My cluster load is also below 5% and this is a large datacenter, with a 400Mbps internet-out.