In my previous post, I talked about how I used Logstash and Memcached to enrich IP addresses collected from HoneyPotDB with confidence scores from AbuseIPDB, which worked great! In this post I’ll quickly go over how I used the same methods to add data Whois from https://ip-api.com/ to enrich IP addresses with:
Mobile IP status
VPN/Tor/Proxy IP status
Datacenter IP status
Creating a logstash pipeline
Here is my Logstash pipeline to do this, I’d recommend taking a look at my previous post to understand more about how this works. The below will take IP addresses, and query a Memcached instance to try and pull a cached value. If no value is cached, the IP-API API (:P) is queried for information, added to the event and then stored in the cache for 7 days.