Forum Discussion
AltocumulusReliable resources for identifying IP addresses
Hi @jlsantini,
What i understand from your write up, i am probably trying to translate into the technical requirements you are looking for a feature that can be use to IP intelligence, here what i can suggest you find more details about these 2 features in F5 ASM/WAF and how to implement them mentioned below
All these topics when implement properly will address your identifying IP address related queries and help you offload your manual task for matching IP address using excel sheet, which is not a viable solution when you can harness the features like below in F5 ASM.
- IP Intelligence. - Detect malicious activity and IP addresses with help from a global threat-sensor network and IP intelligence database. Enable granular threat reporting and. To implement IPI there are some prerequisites as follows: IPI license; A user with admin privileges; BIG-IP must have internet connectivity
2. Geolocation - F5 BIG-IP supports two types of IP geolocation databases: Edge and Pulse. The Edge database is based on IP traffic data, while the Pulse database uses information from mobile devices and Wi-Fi connection points. The Pulse database is more accurate, but also larger in file size, so F5 doesn't support city level for it.
F5 updates the IP geolocation database every Tuesday based on new databases created by Digital Element each week. F5 recommends keeping geolocation up to date because IPs can change countries.
To download and install updated IP geolocation database files on a BIG-IP system, users can:
Go to the GeoLocationUpdates container on the MyF5 Downloads site
Download the updated files
Install the files on the BIG-IP system
Users can check if the IP geolocation database files on the BIG-IP system are up-to-date by following the procedure in K12866: Troubleshooting IP geolocation database inaccuracies.
F5's geolocation feature can also capture a device's latitude by using the device's address.
IP Intelligence Categories
Reference: IP Intelligence Categories
| Category Name | Description |
|---|---|
| Spam Sources | IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities. |
| Windows Exploits | Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities. |
| Web Attacks | IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force. |
| Botnets | IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways. |
| Scanners | IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits. |
| Denial of Service | IP addresses involved in application DoS Attacks, or anomalous traffic detection. |
| Infected Sources | Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses. |
| Phishing Proxies | IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud. |
| Anonymous Proxy | IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services). |
| Cloud-based Services | IP addresses and networks that are used by cloud providers. |
| Mobile Threats | IP addresses of malicious and unwanted mobile applications. |
| Tor Proxies | IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination. |
Here are some reference web links i am sharing go through them and once you find if it matches to your requirement, please feel free and please come back with more queries for helping in any particular scenario.
I will be glad to assist you further.
Initially you can go through these reference
Module 1: IPI & Geolocation
Module 1: IPI & Geolocation (f5.com)
Add a Geolocation Policy
Lab 2 - Add a Geolocation Policy (f5.com)
Configuring geolocation enforcement using BIG-IP ASM security policy (f5.com)
https://my.f5.com/manage/s/article/K79414542
Looking up IP geolocation data using the geoip_lookup command
https://my.f5.com/manage/s/article/K15042
IP Intelligence Policies
Lab 1 - IP Intelligence Policies (f5.com)
https://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf
The Power of IP Intelligence (IPI)
Managing IP reputations and the IP Address Intelligence database
https://my.f5.com/manage/s/article/K13875
Please rate or mark it as solution in case this address your queries regarding manual IP address checking to feature rich IP intelligence and geolocation-based ASM policy inclusiveness.
That will be helpful for others reading this blog.
HTH
🙏
AltocumulusThank you for the detailed information. I have no access to the F5 to do any of this so I will share it with our WAF team. We've been using IP Intelligence for the last month or so and we really like it. Will the additional tools you suggest allow us to identify IP 123.45.67.8 as belonging to Fred Flintstone University? That is what I've been able to achieve with the lookup table that I built in Splunk. Thanks again!
I don't think the IPI tool itself will provide detail for specific IPs such as ownership, other than the category it falls into. You might consider looking into a service such as https://www.greynoise.io/ or others which may have integrations with stuff like Splunk.
My opinion is that having the data in something like Splunk for folks to be able to slice and dice logs on demand in addition to more targeted/boutique style applications is going to be worthwhile.
