0

I have a firewall log with events from 2 years ago. I want to examine that log as if I was investigating at the time of collection (2 years ago).

However, I would like to use IP address reputation data. But I was not yet able to find a source that provides historical IP address reputation data.

What are your ideas/sources to deal with that situation?

schroeder
  • 123,438
  • 55
  • 284
  • 319
helt
  • 101
  • 1

1 Answers1

1

IPs get changed and reassigned all the time. Any automatically collected reputation data gets stale fast. It's unlikely sites will archive that info.

But, I have been in the same situation. What I ended up doing was using my Google Fu and the Wayback Machine to search during that timeframe to see if forums, reputation sites, etc. mentioned the IPs in question and I was able to find enough information to help an investigation.

But there will be no guarantees that you will have similar success.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • thanks. Thats a good advice, if no other answer fits ;) Maybe I am ignorant, but delta lists shouldnt be that big, I guess... – helt Jan 20 '18 at 20:40
  • You might be surprised. The other problem is that innocent users of current IPs will be tainted with the historical reputation. It's already a problem with domain blacklists. There might be some sources that store that info, but requests for services\sites is off-topic here. – schroeder Jan 20 '18 at 20:43