Using Whois with SOCKS Proxy


(Germany) #1

Is there an option to access the whois service via a SOCKS proxy server? I can’t access the whois service directly, I have to use a proxy server - there are no direct routes to the internet. Unfortunately, I can’t find any options in the settings.
It would be great if this option were available.
(I am using Graylog v2.4.0-beta.1.)


(Jochen) #2

Which WHOIS service are you referring to?

Have you tried to configure a HTTP proxy in the Graylog configuration file?


(Germany) #3

I’m trying to use the WHOIS from the Threat Intelligence plugin. Mostly the plugin tries to access the servers of ARIN.
HTTP proxy is set and works for all other parts of the Threat Intelligence plugin.
The main problem is that WHOIS uses its own protocol and not the http protocol.
During the analysis it turned out that Whois (tcp/43) does not use the proxy settings from the server.conf file but tries to communicate directly with the target servers. Both netstat and a wireshark trace show this behavior.

Yours sincerely, Chris


(Germany) #4

There is an option to use a rest interface to make the WHOIS query. Maybe that would be an option for the future, then I would make a feature request.
https://www.arin.net/resources/whoisrws/
https://www.arin.net/resources/whoisrws/whois_api.html

Yours sincerely, Chris


(Jochen) #5

Please open a bug report at https://github.com/Graylog2/graylog-plugin-threatintel/issues for this issue.


(Jochen) #6

For reference:


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.