1)We are using out of box “who is” data adapter but looks like many IPs for example 220.127.116.11 gets null value (it has who is data associated if you look via any who is provider).
What could be the reason for such null entries and how can this be resolved?
is there a plugin or data adapter for ASN number ? Finding ASN number from IP address.
If you poke into the adapter/plugin documentation or code, you should be able to find that out yourself. I assume that you would definitely need an account with the WHOIS provider, or an API key. They usually don’t take it lightly when an unsubscribed party keeps spamming their API or site with queries for data.
I’ve been looking around a bit and found this older thread. It seems that I misunderstood: it’s not a separate plugin, but the Graylog standard “threatintel plugins”. Correct? That would mean you’d need the relevant docs for that one, though I doubt you can poke into the code.
The docs are here →
The plugin will use the ARIN WHOIS servers for the first lookup because they have the best redirect to other registries in case they are not responsible for the block of the requested IP address. Graylog will follow the redirect to other registries like RIPE-NCC, AFRINI, APNIC or LACNIC. Future versions will support initial lookups in other registries, but for now, you might experience longer latencies if your Graylog cluster is not located in Nort America.
So I guess they (Graylog team) are relying on unauthenticated WHOIS lookups. Is that correct @jan?
The ARIN information pages don’t mention rate limiting specifically. They also suggest that unauthenticated lookups are just fine and that, in many cases, you won’t need an API key.
Yeah that makes sense of course. I would imagine that at some point, a customer with huge amounts of WHOIS lookups would like the option to add their own API key into a configuration. Sounds like a feature request you could expect in the next few years. Or they’d need to code their own