Hi all,
I have recently setup the Threat Intelligence Lookup Plugin on our Graylog 3.2.4 server. Everything is working fine except for the Whois Threat Intelligence Plugin. The Pipeline rule that I have made isn’t set at the first stage of the pipeline but at a later one to help reduce the amount of lookups on arin.net. Here is the rule:
http://graylog:9000/system/pipelines/rulesrule "WHOIS: cisco_src_outside_ip"
when
contains(to_string($message.src_addr_threat_indicated), "true", true)
then
let wi = whois_lookup_ip(to_string($message.cisco_src_outside_ip), "src_ip");
set_fields(wi);
end
The rule does work. When I check my Graylog logs (/var/log/graylog-server/server.log) it throws an error:
ERROR [WhoisIpLookup] Could not lookup WHOIS information for [X.X.X.X] at [ARIN].
Also when I manually plug an IP into the Whois Lookup table I receive this message:
{
"single_value": "Lookup Error: Connection reset",
"multi_value": {
"value": "Lookup Error: Connection reset"
},
"string_list_value": null,
"has_error": false,
"ttl": 9223372036854776000
}
I have searched online for quite some time but have come up with no solution. Has anyone experienced this before? If so, how did you solve the problem? Any help is greatly appreciated.