"who is" not working for many ips

1)We are using out of box “who is” data adapter but looks like many IPs for example gets null value (it has who is data associated if you look via any who is provider).
What could be the reason for such null entries and how can this be resolved?

  1. is there a plugin or data adapter for ASN number ? Finding ASN number from IP address.

1: You may be throttled since the data adapter may do live lookups and whatever it’s looking things up from may not like the rate at which it’s doing it. Maybe. Unsure.

2: No.

Thanks for the reply! Do you know what api is being called from “who is” data adapter or where can i find that setting ?

If you poke into the adapter/plugin documentation or code, you should be able to find that out yourself. I assume that you would definitely need an account with the WHOIS provider, or an API key. They usually don’t take it lightly when an unsubscribed party keeps spamming their API or site with queries for data.

I’ve been looking around a bit and found this older thread. It seems that I misunderstood: it’s not a separate plugin, but the Graylog standard “threatintel plugins”. Correct? That would mean you’d need the relevant docs for that one, though I doubt you can poke into the code.

See also:

The docs are here →

It notes:

The plugin will use the ARIN WHOIS servers for the first lookup because they have the best redirect to other registries in case they are not responsible for the block of the requested IP address. Graylog will follow the redirect to other registries like RIPE-NCC, AFRINI, APNIC or LACNIC. Future versions will support initial lookups in other registries, but for now, you might experience longer latencies if your Graylog cluster is not located in Nort America.

So I guess they (Graylog team) are relying on unauthenticated WHOIS lookups. Is that correct @jan?

The ARIN information pages don’t mention rate limiting specifically. They also suggest that unauthenticated lookups are just fine and that, in many cases, you won’t need an API key.

So I guess they (Graylog team) are relying on unauthenticated WHOIS lookups. Is that correct @jan?

100% correct - we would not be able to authenticate for all ppl using this.

Yeah that makes sense of course. I would imagine that at some point, a customer with huge amounts of WHOIS lookups would like the option to add their own API key into a configuration. Sounds like a feature request you could expect in the next few years. Or they’d need to code their own :wink:


feel free to open one

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.