Whois Plugin not working

Hi all,

I have recently setup the Threat Intelligence Lookup Plugin on our Graylog 3.2.4 server. Everything is working fine except for the Whois Threat Intelligence Plugin. The Pipeline rule that I have made isn’t set at the first stage of the pipeline but at a later one to help reduce the amount of lookups on arin.net. Here is the rule:

http://graylog:9000/system/pipelines/rulesrule "WHOIS: cisco_src_outside_ip"
  contains(to_string($message.src_addr_threat_indicated), "true", true)
  let wi = whois_lookup_ip(to_string($message.cisco_src_outside_ip), "src_ip");

The rule does work. When I check my Graylog logs (/var/log/graylog-server/server.log) it throws an error:

ERROR [WhoisIpLookup] Could not lookup WHOIS information for [X.X.X.X] at [ARIN].

Also when I manually plug an IP into the Whois Lookup table I receive this message:

  "single_value": "Lookup Error: Connection reset",
  "multi_value": {
    "value": "Lookup Error: Connection reset"
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000

I have searched online for quite some time but have come up with no solution. Has anyone experienced this before? If so, how did you solve the problem? Any help is greatly appreciated.

your Graylog server might not be able to query the whois server - because the communication is forbidden? Or ARIN has ratelimited your IP because you did to many lookups already?

I guess your Graylog is not able to do the whois connection by firewall.

Whois uses standard port 43/TCP, check that your firewall allow it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.