Hi There -
I have a client that is using Internet routable addressing on their private network (historical) and I'd like to change the GeoLocation in NW 10 to reflect the organization rather then leveraging default tagged country, organization, etc. For both investigations and reporting having this changed would be helpful.
Does anyone know if this is possible?
are you trying to set the direction of traffic correctly?
are you using org.dst exists as an indicator of outbound traffic?
if so consider using the traffic_flow parser and then update the traffic_flow options file to mark that public range as internal and your direction will be set properly in the direction metakey (outbound, inbound, lateral).
the geo data from maxmind can be customized to add location for private ip addresses that will never be in the maxmind db but not sure you can override public addresses with new versions to remove/set org information to mark public ranges internal. geoprivate.ipl on the decorders allows you to add location info for private ranges but don't think it allows override of existing maxmind db.
https://community.rsa.com/docs/DOC-44948