Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Whois Lookup Ip
4 views
Skip to first unread message
Keiko Bludworth
Jan 3, 2024, 2:37:51 AM1/3/24
to
Threat detection specialists, digital forensics & incident response (DFIR) teams, or even non-technical users can use WHOIS lookups to find out more about domain names, IPs, and email addresses. Suspicious hosts and their WHOIS records can be investigated further to reduce the risk of malware-driven and phishing-led attacks.
I'm trying to use the lookup as you have it here, but all of those fields come out blank. The only fields that return anything are _raw and host. Additionally if I do table * then contact.address contact.email contact.name contact.phone all return with the correct results, but not other fields from the whois lookup populate. Is there something I am doing wrong?
whois lookup ip
DOWNLOAD https://t.co/GEXT7Rjh5W
We were having the same problem and discovered that we was getting the below errors in the search.log (Job-->Inpect Job->Search job properties - search.log) even though there was no indication on an issue. We are running Splunk Enterprise version 8.1.2 which defaults to python3. We were able to get the lookups working by setting them to run as python2.
To run an Internet WHOIS lookup for IP addresses, enter the IP address into the space above. Click "Lookup" and the tool will run a WHOIS search for the IP. You'll receive ARIN WHOIS data as well as information on your Internet service provider and the owner of the address.
Searching a WHOIS database of IP addresses works to find out who an IP address is registered to and provide other data when you already have an IP address. However, in some instances, you may need to first find an IP address from a domain in order to search it in the WHOIS lookup tool.
To find an IP address from a domain, look up the domain in the domain name system with the DNS lookup tool. To find a domain from an IP address, use a reverse IP address lookup, or reverse DNS lookup.
Query the whois database online to find information about a domain name or an IP address. With the whois lookup you can find the owner of the specified domain name, the domain creation and expiration date,the company behind an IP address, the contacts of the abuse department, and much more.
On December 1, 1999, management of the top-level domains (TLDs) .mw-parser-output .monospacedfont-family:monospace,monospacecom, net, and org was assigned to ICANN. At the time, these TLDs were converted to a thin WHOIS model. Existing WHOIS clients stopped working at that time. A month later, it had self-detecting Common Gateway Interface support so that the same program could operate a web-based WHOIS lookup, and an external TLD table to support multiple WHOIS servers based on the TLD of the request. This eventually became the model of the modern WHOIS client.
The need for web-based clients came from the fact that command-line WHOIS clients largely existed only in the Unix and large computing worlds. Microsoft Windows and Macintosh computers had no WHOIS clients installed by default, so registrars had to find a way to provide access to WHOIS data for potential customers. Many end-users still rely on such clients, even though command line and graphical clients exist now for most home PC platforms. Microsoft provides the Sysinternals Suite that includes a whois client at no cost.
There is currently no widely extended way for determining the responsible WHOIS server for a DNS domain, though a number of methods are in common use for top-level domains (TLDs). Some registries use DNS SRV records (defined in RFC 2782[25]) to allow clients to discover the address of the WHOIS server.[26] Some WHOIS lookups require searching the procuring domain registrar to display domain owner details.
The WHOIS lookup results will provide the domain name registration records, which contain key information like when the domain was registered, who it is registered to (and their associated IP addresses), and when it expires, from the WHOIS database.
Note for WHOIS lookup queries and results: please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
This may sound strange but, i have to take 15k Public ipaddresses that are dumped out of a firewall log and run whois queries on them to find out who they belong to and somehow find a way to put that whois information into a csv or text file. I am a complete scripting noob so i have no idea how to do this or how to go about this please help!
Got linux? Easy shell script. Make a file called ip.txt with your list of IP's, Make a text file in your directory to contain the script (if you want, or just command line but nice to save the script for future use), copy the script below into it and make it executable. This will redirect your results to a text doc called whois.txt.
Martin9700 also posted a nice blog on whois, his report is an HTML output, but should easily be able to have it output to CSV instead of HTML. One caveat is that Martin's script requires PowerShell version 4.0.
Whois will probably not be very useful with just IP addresses. All you are going to get back is the owner of the net block and maybe an ASN. A provider lookup database would be more useful, so take a look at MaxMind.
Reverse IP lookup is now possible in FortiOS 5.4. A WHOIS lookup icon is available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).
For quite some time now, I have noticed that the IP whois lookup within the Fortigate always fails. Is there any way to change the service or URL that the IP whois lookup uses? There are several free whois lookup sites that I could plug in if I could change that.
35fe9a5643
I'm trying to use the lookup as you have it here, but all of those fields come out blank. The only fields that return anything are _raw and host. Additionally if I do table * then contact.address contact.email contact.name contact.phone all return with the correct results, but not other fields from the whois lookup populate. Is there something I am doing wrong?
whois lookup ip
DOWNLOAD https://t.co/GEXT7Rjh5W
We were having the same problem and discovered that we was getting the below errors in the search.log (Job-->Inpect Job->Search job properties - search.log) even though there was no indication on an issue. We are running Splunk Enterprise version 8.1.2 which defaults to python3. We were able to get the lookups working by setting them to run as python2.
To run an Internet WHOIS lookup for IP addresses, enter the IP address into the space above. Click "Lookup" and the tool will run a WHOIS search for the IP. You'll receive ARIN WHOIS data as well as information on your Internet service provider and the owner of the address.
Searching a WHOIS database of IP addresses works to find out who an IP address is registered to and provide other data when you already have an IP address. However, in some instances, you may need to first find an IP address from a domain in order to search it in the WHOIS lookup tool.
To find an IP address from a domain, look up the domain in the domain name system with the DNS lookup tool. To find a domain from an IP address, use a reverse IP address lookup, or reverse DNS lookup.
Query the whois database online to find information about a domain name or an IP address. With the whois lookup you can find the owner of the specified domain name, the domain creation and expiration date,the company behind an IP address, the contacts of the abuse department, and much more.
On December 1, 1999, management of the top-level domains (TLDs) .mw-parser-output .monospacedfont-family:monospace,monospacecom, net, and org was assigned to ICANN. At the time, these TLDs were converted to a thin WHOIS model. Existing WHOIS clients stopped working at that time. A month later, it had self-detecting Common Gateway Interface support so that the same program could operate a web-based WHOIS lookup, and an external TLD table to support multiple WHOIS servers based on the TLD of the request. This eventually became the model of the modern WHOIS client.
The need for web-based clients came from the fact that command-line WHOIS clients largely existed only in the Unix and large computing worlds. Microsoft Windows and Macintosh computers had no WHOIS clients installed by default, so registrars had to find a way to provide access to WHOIS data for potential customers. Many end-users still rely on such clients, even though command line and graphical clients exist now for most home PC platforms. Microsoft provides the Sysinternals Suite that includes a whois client at no cost.
There is currently no widely extended way for determining the responsible WHOIS server for a DNS domain, though a number of methods are in common use for top-level domains (TLDs). Some registries use DNS SRV records (defined in RFC 2782[25]) to allow clients to discover the address of the WHOIS server.[26] Some WHOIS lookups require searching the procuring domain registrar to display domain owner details.
The WHOIS lookup results will provide the domain name registration records, which contain key information like when the domain was registered, who it is registered to (and their associated IP addresses), and when it expires, from the WHOIS database.
Note for WHOIS lookup queries and results: please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
This may sound strange but, i have to take 15k Public ipaddresses that are dumped out of a firewall log and run whois queries on them to find out who they belong to and somehow find a way to put that whois information into a csv or text file. I am a complete scripting noob so i have no idea how to do this or how to go about this please help!
Got linux? Easy shell script. Make a file called ip.txt with your list of IP's, Make a text file in your directory to contain the script (if you want, or just command line but nice to save the script for future use), copy the script below into it and make it executable. This will redirect your results to a text doc called whois.txt.
Martin9700 also posted a nice blog on whois, his report is an HTML output, but should easily be able to have it output to CSV instead of HTML. One caveat is that Martin's script requires PowerShell version 4.0.
Whois will probably not be very useful with just IP addresses. All you are going to get back is the owner of the net block and maybe an ASN. A provider lookup database would be more useful, so take a look at MaxMind.
Reverse IP lookup is now possible in FortiOS 5.4. A WHOIS lookup icon is available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).
For quite some time now, I have noticed that the IP whois lookup within the Fortigate always fails. Is there any way to change the service or URL that the IP whois lookup uses? There are several free whois lookup sites that I could plug in if I could change that.
35fe9a5643
0 new messages