cancel
Showing results for 
Search instead for 
Did you mean: 
eknaak
Level 7

Incorrect geolocation data

Jump to solution

Please forgive me if this is a silly question or a case of RTFM. I'm new to the ESM.

I'm trying to set up a view that shows the geolocation of source IPs that are attempting SSH connections to the external facing interface of a McAfee Enterprise Firewall. The log from the firewall clearly shows "src_geo=CN" or "src_geo=RU" for the vast majority of the packets that match my filter however the ESM lists them as all "Washington, United States". This is the same for both source and desitnation which leads me to believe that the ESM doesn't use the geolocation data from the firewall logs and is also not doing the resolution itself.

One.jpg

two.jpg

I've followed KB74247 to configure geolocation in the logs for my receiver.

So, my questions are: How does the ESM resolve geolocation? What have I done incorrectly in my (noob) attempt to get geolocation data that is clearly present in the log data to show in an ESM view?

Thank you!

1 Solution

Accepted Solutions
mhooper1
Level 8

Re: Incorrect geolocation data

Jump to solution

I suspect you have an issue with zones, as the IP is definitely in Russia, as you mentioned.

Check your zones and make sure that the high level zone is blank, I suspect you will have it set to Washington. The geolocation on zones overwrites anything we get from the Geolocation database. If you set the top level as blank, then create sub zones with your internal IP's defined with an applied Geolocation, I think you will find this will fix your issue.

regards

Mason

9 Replies
alexander_h
Level 12

Re: Incorrect geolocation data

Jump to solution

Actually it will perform WHoIs lookup on port 43 so ensure that the port is open on your FW so the ESM can perform the LookUP.

0 Kudos
alexander_h
Level 12

Re: Incorrect geolocation data

Jump to solution

Here is the KB that describes the port and addresses used for WHOIS :

McAfee KnowledgeBase - What URL and port number does the ESM use for WhoIs Lookups?

0 Kudos

Re: Incorrect geolocation data

Jump to solution

Correction:  The SIEM utilizes an internal database (MaxMind) to associate IP addresses with geolocation and not a resolution using WHOIS (unless you are selecting an event and requesting a WHOIS from the event dropdown menu).

If the geolocation data provided by the McAfee Enterprise Firewall is inconsistent with that provided by the SIEM then there appears to be a discrepancy in the two geolocation resolutions being performed by each product.

I would suggest doing a manual IP geolocation resolution using www.whois.net to determine the correct value for the IP address in question.  This will tell you which of the two products is providing errant information at which point you can log a support request with that product team to remedy the discrepancy.

alexander_h
Level 12

Re: Incorrect geolocation data

Jump to solution

Thanks for the Correction Michael, this is really good to know as it's not mentioned.

0 Kudos

Re: Incorrect geolocation data

Jump to solution

Correction to my previous post...

Using a service like www.iplocation.net will provide more details regarding the IP geolocation.

eknaak
Level 7

Re: Incorrect geolocation data

Jump to solution

Thanks for your input. I should have stated that I verified that the Enterprise Firewall log entries are correct. The ASN and Geolocation are identical for both source and destination in the SIEM. That's why I posted in the SIEM message board. I'm trying to find out how the SIEM does geolocation lookups so I can determine what may be going wrong or if I built my query incorrectly.

I'll open a ticket.

0 Kudos
mhooper1
Level 8

Re: Incorrect geolocation data

Jump to solution

I suspect you have an issue with zones, as the IP is definitely in Russia, as you mentioned.

Check your zones and make sure that the high level zone is blank, I suspect you will have it set to Washington. The geolocation on zones overwrites anything we get from the Geolocation database. If you set the top level as blank, then create sub zones with your internal IP's defined with an applied Geolocation, I think you will find this will fix your issue.

regards

Mason

eknaak
Level 7

Re: Incorrect geolocation data

Jump to solution

Yes, Mason, that was the problem. Thank you!

Erich

arnieos
Level 7

Re: Incorrect geolocation data

Jump to solution

Hi eknaak,

Came across this post of yours as I'm also having the same problem. Would like to confirm if the issue did get resolved by using zone management in ESM.

If yes, can you provide more details how it was fixed? I'm also new to ESM, so your response would be greatly appreciated.

Thanks in advance. 

0 Kudos