000036070 - Forensics UI-WHOIS does not work and can MaxMind be used instead in RSA Web Threat Detection 6.0

Document created by RSA Customer Support Employee on Apr 4, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036070
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 6.0
IssueForensics User Interface feature when right-clicking on an IP and selecting WHOIS for information on the IP from the WHOIS database system is not working in all customer environments. How can this be fixed? Also, could the MaxMind Geolocation database(which is used in WTD) be used instead?

Example Customer issue --
We have two items: - We are still having issues with our on-premise WTD properly handling the WHOIS in one environment, however, it works in another environment. The deployment is fine -could we use of GEO data (e.g. MaxMind) as External Data Sources to WTD?
ResolutionWHOIS is one of the first services from the internet not simple client server technology, it came before http

A  WHOIS client is a specific protocol to local WHOIS Server. An IP for a region goes to the American  NIC    and APJ NIC and EMEA Nic  depending on the IP, the protocol is like a branch, similar to DNS, searching for an .. 'authoritative answer'  If not able then it redirects to another server, this protocol uses two specific ports as there are two versions of the protocol. requests and responses, the answer comes in another port. So a firewall port needs to be open.  Often firewall port was not opened, so the protocol does not work locally there is a local whois conf file. 

WHOIS in WTD, talks to the OS, when in the UI you right click on an IP and option to do a WHOIS. It initiates the OS based to refer to the config files which directs to reach to closest WHOIS node and start the conversation. Therefore, to get an authoritative answer, you have to have Firewall open.  Many organizations don't allow the ports. 
In the UI, a successful lookup dumps out in a window. However,  if the lookup fails, the UI does nothing. 

The idea to use Maxmind instead when you right click on an IP to look up more information has been suggested before and there is already a Feature Request... 

Noting though we could get this info from Maxmint but we don't use it today.--
--. We only get city and state for a given Ip to create a  dot on the map. 
--  We also look at the ip address and calculate the mile difference between clicks and have a maximum range between clicks click 1    US  click 2 China  MiM possibility..   

There is a Feature Request for better use of GEO-IP data also as we currently are using legacy database and that is about to expire in April 2018 the updates will stop being published.  

So after that, if less than version 6.4, our customers will be working with an old file. Some customers have never updated the maxmind database which is now in our installation documentation in more recent versions.  
The one we ship is 5 years old, so it really needs to be updated at implementation.  Also, we realized that we needed an updated version because of IPV 6 issues --since the   IPV6 locations were not accurate and Maxmind did not have anything more than country for IPV6.  
In summary, WTD will be updated for detection at the city level by an upgrade to GEOIP2 complete libraries  Engineering just went through the code.  April 2018 is the target for release of version 6.4...  

Also to mention the likely reason that your system in AWS is ok is because of their local environment has the local config for WHOIS and can make successful WHOIS calls.  

You can find this config file in etc/JWHOIS.conf the information is just a seed to get the queries started. WTD-4912 is the Jira and I can add your name, as soon as I hear some feedback to what I have stated.  It is kind of a shotgun approach since you had not responded to my email yesterday, I was going off your request that does not have a lot of details, so pardon me if I made assumptions.