Has anybody tried using the IP Reputation App for Splunk Enterprise before? It works, but is very slow. Any body experience this before? I am trying to lookup approx 3000 IPs every 10 minutes. Honey pot API is not getting the response back to me fast enough.
Is there a way to sync that honeypot threat data to local lookup table and do local lookups?
i did some performance tests and on my macbook i could lookup around 2-3 IP's/second easily. It depends on your network connectivity and configured DNS Server. This are all DNS queries. If you query the same IP a second time your configured DNS Server will be your local cache.