Hi There -
I have a client that is using Internet routable addressing on their private network (historical) and I'd like to change the GeoLocation in NW 10 to reflect the organization rather then leveraging default tagged country, organization, etc. For both investigations and reporting having this changed would be helpful.
Does anyone know if this is possible?
I would suggest using the Geoprivate.ipl file on the decoders to see if it will override the maxmind data
Format of the geoprivate.ipl (note: blank file can be found under Decoder -> Config -> Files tab)
<?xml version="1.0" encoding="UTF-8"?>
<IpLocations>
<IP city="Palo Alto, CA" country="United States" fromIP="10.0.0.0" lat="37.269174" lon="-119.306607" org="XYZ Corp" toIP="10.255.255.255"/>
</IpLocations>
Thanks for the info. I do have my traffic defined for direction and that appears to be working as required. I did add the line to GroPrivate.ipl and unfortunately it does not look like it will allow an override of the existing Maxmind data. I will keep digging however as I suspect this isn't the first organization to come across this dilemma.
Thanks, Jay
are you trying to set the direction of traffic correctly?
are you using org.dst exists as an indicator of outbound traffic?
if so consider using the traffic_flow parser and then update the traffic_flow options file to mark that public range as internal and your direction will be set properly in the direction metakey (outbound, inbound, lateral).
the geo data from maxmind can be customized to add location for private ip addresses that will never be in the maxmind db but not sure you can override public addresses with new versions to remove/set org information to mark public ranges internal. geoprivate.ipl on the decorders allows you to add location info for private ranges but don't think it allows override of existing maxmind db.
https://community.rsa.com/docs/DOC-44948