Description:

A powerful whois query processor primary designed to enrich DataFlows with whois based APIs (e.g. ShadowServer’s ASN lookup) but that can be also used to perform regular whois lookups.

Tags:

whois, enrich, ip

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the Expression Language Guide.

Name	Default Value	Allowable Values	Description
Lookup value			The value that should be used to populate the query Supports Expression Language: true
Whois Query Type			The Whois query type to be used by the processor (if used)
Whois Server			The Whois server to be used
Whois Server Port	43		The TCP port of the remote Whois server
Whois Query Timeout	1500 ms		The amount of time to wait until considering a query as failed
Batch Size	25		The number of incoming FlowFiles to process in a single execution of this processor.
Bulk Protocol	None	BeginEnd None	The protocol used to perform the bulk query.
Results Parser	None	Split RegEx None	The method used to slice the results into attribute groups
Parser RegEx			Choice between a splitter and regex matcher used to parse the results of the query into attribute groups. NOTE: This is a multiline regular expression, therefore, the DFM should decide how to handle trailing new line characters.
Key lookup group (multiline / batch)			When performing a batched lookup, the following RegEx numbered capture group or Column number will be used to match the whois server response with the lookup field

Relationships:

Name	Description
not found	Where to route flow files if data enrichment query rendered no results
found	Where to route flow files after successfully enriching attributes with data

Reads Attributes:

None specified.

Writes Attributes:

Name	Description
enrich.dns.record.group	The captured fields of the Whois query response for each of the records received