/graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

otx_lookup_domain validation #4489

Closed
mudrunkar opened this Issue Jan 17, 2018 · 1 comment

Comments

Assignees

@bernd bernd

Labels
bug
Projects
None yet
Milestone
  2.4.1
2 participants
@mudrunkar @bernd
@mudrunkar

mudrunkar commented Jan 17, 2018
edited

otx_lookup_domain pipeline function seems to expect an IP address, although the function is supposed to use domain name as argument.

Expected Behavior

I wouldn't expect error message

Unable to auto-detect IP address type for key <mcafee.com>

in case of otx_lookup_domain function. I feed the pipeline function with top level and second level domain string, for instance "googleapis.com", "firefox.com", "facebook.com etc".

Current Behavior

otx_lookup_domain function doesn't work as expected and results in the following error message in the log:

2018-01-17 15:46:24,327 WARN : org.graylog.plugins.threatintel.adapters.otx.OTXDataAdapter - Unable to auto-detect IP address type for key <google-analytics.com>

Possible Solution

Steps to Reproduce (for bugs)

I use the following pipeline function to query AlienVault's otx and to set the field in the log:

rule "add_otx_lookup"
when 
    has_field("name_tld2ld")
then
    let otx_lookup = otx_lookup_domain(to_string($message.name_tld2ld));
    set_field("otx_lookup_result", otx_lookup);
end

Context

Your Environment

  • Graylog Version: 2.4.0
  • Elasticsearch Version:
  • MongoDB Version:
  • Operating System:
  • Browser version:

@bernd bernd added the bug label Jan 17, 2018

@bernd bernd added this to the 2.4.1 milestone Jan 17, 2018

@bernd bernd added needs-input and removed needs-input labels Jan 17, 2018

@bernd bernd self-assigned this Jan 17, 2018

bernd added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 17, 2018

@bernd
Fix "otx_lookup_domain" pipeline function 
Fixes Graylog2/graylog2-server#4489
Loading status checks…
ad0fcf7

@bernd bernd referenced this issue Jan 17, 2018

Merged

Fix "otx_lookup_domain" pipeline function #83

@wafflebot wafflebot bot added the in progress label Jan 17, 2018

@bernd

This comment has been minimized.

Sign in to view
Member

bernd commented Jan 17, 2018

@mudrunkar Thank you for the report. A fix for this will be in the upcoming 2.4.1 release.

@bernd bernd assigned bernd and unassigned bernd Jan 17, 2018

@joschi joschi closed this in Graylog2/graylog-plugin-threatintel#83 Jan 18, 2018

joschi added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 18, 2018

@bernd @joschi
Fix "otx_lookup_domain" pipeline function (#83) 
Fixes Graylog2/graylog2-server#4489
644a98c

@wafflebot wafflebot bot removed the in progress label Jan 18, 2018

joschi added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 18, 2018

@bernd @joschi
Fix "otx_lookup_domain" pipeline function (#83) 
Fixes Graylog2/graylog2-server#4489

(cherry picked from commit 644a98c)
Unverified
The committer email address is not verified.
Learn about signing commits
96e8283
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment