New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

otx_lookup_domain validation #4489

Closed
mudrunkar opened this Issue Jan 17, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@mudrunkar

mudrunkar commented Jan 17, 2018

otx_lookup_domain pipeline function seems to expect an IP address, although the function is supposed to use domain name as argument.

Expected Behavior

I wouldn't expect error message

Unable to auto-detect IP address type for key <mcafee.com>

in case of otx_lookup_domain function. I feed the pipeline function with top level and second level domain string, for instance "googleapis.com", "firefox.com", "facebook.com etc".

Current Behavior

otx_lookup_domain function doesn't work as expected and results in the following error message in the log:

2018-01-17 15:46:24,327 WARN : org.graylog.plugins.threatintel.adapters.otx.OTXDataAdapter - Unable to auto-detect IP address type for key <google-analytics.com>

Possible Solution

Steps to Reproduce (for bugs)

I use the following pipeline function to query AlienVault's otx and to set the field in the log:

rule "add_otx_lookup"
when 
    has_field("name_tld2ld")
then
    let otx_lookup = otx_lookup_domain(to_string($message.name_tld2ld));
    set_field("otx_lookup_result", otx_lookup);
end

Context

Your Environment

  • Graylog Version: 2.4.0
  • Elasticsearch Version:
  • MongoDB Version:
  • Operating System:
  • Browser version:

@bernd bernd added the bug label Jan 17, 2018

@bernd bernd added this to the 2.4.1 milestone Jan 17, 2018

@bernd bernd added needs-input and removed needs-input labels Jan 17, 2018

@bernd bernd self-assigned this Jan 17, 2018

bernd added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 17, 2018

@wafflebot wafflebot bot added the in progress label Jan 17, 2018

@bernd

This comment has been minimized.

Member

bernd commented Jan 17, 2018

@mudrunkar Thank you for the report. A fix for this will be in the upcoming 2.4.1 release.

@bernd bernd assigned bernd and unassigned bernd Jan 17, 2018

joschi added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 18, 2018

@wafflebot wafflebot bot removed the in progress label Jan 18, 2018

joschi added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment