Forum Discussion
Reliable resources for identifying IP addresses
Hello!
I'm a project manager responsible for the WAF implementation in my organization. Aside from overseeing the implementation, I'm in the trenches, so to speak, with the everyday care and feeding of WAF which is likely unusual for a project manager. 😃
Our systems administrators have setup our WAF logs so that they are logged in Splunk and Oracle. I have created numerous reports, dashboards, and alerts that Splunk uses against a lookup table that I built to identify the IP address owners. This manually built and maintained by myself in Excel and was started with IP records provided by two of our business owners for educational institutions that use their services. The Excel spreadsheet is over 100K lines and I lookup IPs using ARIN as part of growing this IP table. This is cumbersome to say the least.
My manager wants to move more of our WAF reporting to an Apex tool that one of our application developers built. This renders my Splunk lookup table useless. What resources are others in the community using to identify IP addresses? The application developer responsible for the Apex application would like something available via API.
I began the effort to identify IP addresses to help with our tuning and remediation efforts. We look more kindly upon infractions from an educational institutions than traffic from a bot source. We will do post production tuning against a policy if one of our business owners reports a block on behalf of an end user. The IP identification helps with this process. Our WAF administrator is extremely cautious which I respect because we need to protect our infrastructure but our processes for remediation and tuning are quite tedious.
Thank you in advance for any resources you can provide!
Jodi
Hi @jlsantini,
What i understand from your write up, i am probably trying to translate into the technical requirements you are looking for a feature that can be use to IP intelligence, here what i can suggest you find more details about these 2 features in F5 ASM/WAF and how to implement them mentioned below
All these topics when implement properly will address your identifying IP address related queries and help you offload your manual task for matching IP address using excel sheet, which is not a viable solution when you can harness the features like below in F5 ASM.
- IP Intelligence. - Detect malicious activity and IP addresses with help from a global threat-sensor network and IP intelligence database. Enable granular threat reporting and. To implement IPI there are some prerequisites as follows: IPI license; A user with admin privileges; BIG-IP must have internet connectivity
2. Geolocation - F5 BIG-IP supports two types of IP geolocation databases: Edge and Pulse. The Edge database is based on IP traffic data, while the Pulse database uses information from mobile devices and Wi-Fi connection points. The Pulse database is more accurate, but also larger in file size, so F5 doesn't support city level for it.
F5 updates the IP geolocation database every Tuesday based on new databases created by Digital Element each week. F5 recommends keeping geolocation up to date because IPs can change countries.
To download and install updated IP geolocation database files on a BIG-IP system, users can:
Go to the GeoLocationUpdates container on the MyF5 Downloads site
Download the updated files
Install the files on the BIG-IP system
Users can check if the IP geolocation database files on the BIG-IP system are up-to-date by following the procedure in K12866: Troubleshooting IP geolocation database inaccuracies.
F5's geolocation feature can also capture a device's latitude by using the device's address.IP Intelligence Categories
Reference: IP Intelligence Categories
Category Name Description Spam Sources IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities. Windows Exploits Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities. Web Attacks IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force. Botnets IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways. Scanners IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits. Denial of Service IP addresses involved in application DoS Attacks, or anomalous traffic detection. Infected Sources Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses. Phishing Proxies IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud. Anonymous Proxy IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services). Cloud-based Services IP addresses and networks that are used by cloud providers. Mobile Threats IP addresses of malicious and unwanted mobile applications. Tor Proxies IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination. Here are some reference web links i am sharing go through them and once you find if it matches to your requirement, please feel free and please come back with more queries for helping in any particular scenario.
I will be glad to assist you further.
Initially you can go through these reference
Module 1: IPI & Geolocation
Module 1: IPI & Geolocation (f5.com)
Add a Geolocation Policy
Lab 2 - Add a Geolocation Policy (f5.com)
Configuring geolocation enforcement using BIG-IP ASM security policy (f5.com)
https://my.f5.com/manage/s/article/K79414542
Looking up IP geolocation data using the geoip_lookup command
https://my.f5.com/manage/s/article/K15042
IP Intelligence Policies
Lab 1 - IP Intelligence Policies (f5.com)
https://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf
The Power of IP Intelligence (IPI)
Managing IP reputations and the IP Address Intelligence database
https://my.f5.com/manage/s/article/K13875
Please rate or mark it as solution in case this address your queries regarding manual IP address checking to feature rich IP intelligence and geolocation-based ASM policy inclusiveness.
That will be helpful for others reading this blog.
HTH
🙏
Hi @jlsantini,
What i understand from your write up, i am probably trying to translate into the technical requirements you are looking for a feature that can be use to IP intelligence, here what i can suggest you find more details about these 2 features in F5 ASM/WAF and how to implement them mentioned below
All these topics when implement properly will address your identifying IP address related queries and help you offload your manual task for matching IP address using excel sheet, which is not a viable solution when you can harness the features like below in F5 ASM.
- IP Intelligence. - Detect malicious activity and IP addresses with help from a global threat-sensor network and IP intelligence database. Enable granular threat reporting and. To implement IPI there are some prerequisites as follows: IPI license; A user with admin privileges; BIG-IP must have internet connectivity
2. Geolocation - F5 BIG-IP supports two types of IP geolocation databases: Edge and Pulse. The Edge database is based on IP traffic data, while the Pulse database uses information from mobile devices and Wi-Fi connection points. The Pulse database is more accurate, but also larger in file size, so F5 doesn't support city level for it.
F5 updates the IP geolocation database every Tuesday based on new databases created by Digital Element each week. F5 recommends keeping geolocation up to date because IPs can change countries.
To download and install updated IP geolocation database files on a BIG-IP system, users can:
Go to the GeoLocationUpdates container on the MyF5 Downloads site
Download the updated files
Install the files on the BIG-IP system
Users can check if the IP geolocation database files on the BIG-IP system are up-to-date by following the procedure in K12866: Troubleshooting IP geolocation database inaccuracies.
F5's geolocation feature can also capture a device's latitude by using the device's address.IP Intelligence Categories
Reference: IP Intelligence Categories
Category Name Description Spam Sources IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities. Windows Exploits Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities. Web Attacks IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force. Botnets IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways. Scanners IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits. Denial of Service IP addresses involved in application DoS Attacks, or anomalous traffic detection. Infected Sources Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses. Phishing Proxies IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud. Anonymous Proxy IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services). Cloud-based Services IP addresses and networks that are used by cloud providers. Mobile Threats IP addresses of malicious and unwanted mobile applications. Tor Proxies IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination. Here are some reference web links i am sharing go through them and once you find if it matches to your requirement, please feel free and please come back with more queries for helping in any particular scenario.
I will be glad to assist you further.
Initially you can go through these reference
Module 1: IPI & Geolocation
Module 1: IPI & Geolocation (f5.com)
Add a Geolocation Policy
Lab 2 - Add a Geolocation Policy (f5.com)
Configuring geolocation enforcement using BIG-IP ASM security policy (f5.com)
https://my.f5.com/manage/s/article/K79414542
Looking up IP geolocation data using the geoip_lookup command
https://my.f5.com/manage/s/article/K15042
IP Intelligence Policies
Lab 1 - IP Intelligence Policies (f5.com)
https://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf
The Power of IP Intelligence (IPI)
Managing IP reputations and the IP Address Intelligence database
https://my.f5.com/manage/s/article/K13875
Please rate or mark it as solution in case this address your queries regarding manual IP address checking to feature rich IP intelligence and geolocation-based ASM policy inclusiveness.
That will be helpful for others reading this blog.
HTH
🙏- jlsantiniAltocumulus
Thank you for the detailed information. I have no access to the F5 to do any of this so I will share it with our WAF team. We've been using IP Intelligence for the last month or so and we really like it. Will the additional tools you suggest allow us to identify IP 123.45.67.8 as belonging to Fred Flintstone University? That is what I've been able to achieve with the lookup table that I built in Splunk. Thanks again!
I don't think the IPI tool itself will provide detail for specific IPs such as ownership, other than the category it falls into. You might consider looking into a service such as https://www.greynoise.io/ or others which may have integrations with stuff like Splunk.
My opinion is that having the data in something like Splunk for folks to be able to slice and dice logs on demand in addition to more targeted/boutique style applications is going to be worthwhile.
- jlsantiniAltocumulus
I marked this as a solution although I have no control over whether your recommendations will be implemented aside from IPI. We just completed purchase of the product after really liking the results during our trial. I appreciate the help!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com