Hello,
I am relying heavily on geographic information presented within Investigator, mainly source and dest city, organization and such.
Is the DB used by Investigator updated on a regular basis, and can I download the updates into my network?
I am using Investigator on a computer not connected to the internet.
Thank you,
John.
The GEOIP information is from maxmind- and its their free version, which is about 96% accurate or better at the time that our bundled software is released. Given that IP addresses change over time, along with org and domain ownership, the GEOIP data does degrade over time between new software releases. It is not updated live from within the product.
You can subscribe to MaxMind's GEOIP database yourself (paid subscription I think) and update the information by updating the geoip.dat file. See the help file in investigator for details on how to do this.
That said, I have found that the org.src and org.dst, and domain.src and domain.dst keys are more accurate than city source and destination information.
Out of curiosity, why do you rely on the GEOIP information so much for your use case? What results are you shooting for? There might be another way to get your goals....
Hi Fielder, thank you very much for your reply.
However, I was unable to find the geoip.dat file anywhere, and the help file within investigator wasn't of much help.
If you could be more specfic as the what is the file name and where it is located I will be grateful.
John.
Hi John,
They are actually named "GeoCity.dat", "GeoCountry.dat", "GeoDomain.dat" and "GeoOrg.dat" and they normally reside on:
Win7 : \ProgramData\NetWitness\
Win7 : \Users\All Users\NetWitness\ (additional copy)
Win2K3 : \Documents and Settings\All Users\Application Data\NetWitness\
Those are the two OSes that I have immediate access to check but should give you a fairly good idea of where they live for most Windows based systems.
Only City and Country have Lite (i.e. free versions from MaxMind), Domain and Org are subscription only.
Hope that helps!
Regards,
Rui
on Feb 13, 2013
Hi John,
They are actually named "GeoCity.dat", "GeoCountry.dat", "GeoDomain.dat" and "GeoOrg.dat" and they normally reside on:
Win7 : \ProgramData\NetWitness\
Win7 : \Users\All Users\NetWitness\ (additional copy)
Win2K3 : \Documents and Settings\All Users\Application Data\NetWitness\
Those are the two OSes that I have immediate access to check but should give you a fairly good idea of where they live for most Windows based systems.
Only City and Country have Lite (i.e. free versions from MaxMind), Domain and Org are subscription only.
Hope that helps!
Regards,
Rui