Skip to content

/ graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

otx_lookup_domain validation #4489

Closed
mudrunkar opened this issue Jan 17, 2018 · 1 comment
Closed

otx_lookup_domain validation #4489

mudrunkar opened this issue Jan 17, 2018 · 1 comment
Assignees
@bernd
Labels
bug
Milestone
2.4.1

Comments

@mudrunkar
Copy link

@mudrunkar mudrunkar commented Jan 17, 2018
edited

otx_lookup_domain pipeline function seems to expect an IP address, although the function is supposed to use domain name as argument.

Expected Behavior

I wouldn't expect error message

Unable to auto-detect IP address type for key <mcafee.com>

in case of otx_lookup_domain function. I feed the pipeline function with top level and second level domain string, for instance "googleapis.com", "firefox.com", "facebook.com etc".

Current Behavior

otx_lookup_domain function doesn't work as expected and results in the following error message in the log:

2018-01-17 15:46:24,327 WARN : org.graylog.plugins.threatintel.adapters.otx.OTXDataAdapter - Unable to auto-detect IP address type for key <google-analytics.com>

Possible Solution

Steps to Reproduce (for bugs)

I use the following pipeline function to query AlienVault's otx and to set the field in the log:

rule "add_otx_lookup"
when 
    has_field("name_tld2ld")
then
    let otx_lookup = otx_lookup_domain(to_string($message.name_tld2ld));
    set_field("otx_lookup_result", otx_lookup);
end

Context

Your Environment

  • Graylog Version: 2.4.0
  • Elasticsearch Version:
  • MongoDB Version:
  • Operating System:
  • Browser version:
@bernd bernd added the bug label Jan 17, 2018
@bernd bernd added this to the 2.4.1 milestone Jan 17, 2018
@bernd bernd added needs-input and removed needs-input labels Jan 17, 2018
@bernd bernd self-assigned this Jan 17, 2018
bernd added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 17, 2018
@bernd
Fix "otx_lookup_domain" pipeline function
Loading status checks…
ad0fcf7 
Fixes Graylog2/graylog2-server#4489
@bernd bernd mentioned this issue Jan 17, 2018
Merged
@ghost ghost added the in progress label Jan 17, 2018
@bernd
Copy link
Member

@bernd bernd commented Jan 17, 2018

@mudrunkar Thank you for the report. A fix for this will be in the upcoming 2.4.1 release.
@bernd bernd assigned bernd and unassigned bernd Jan 17, 2018
joschi added a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 18, 2018
@bernd @joschi
Fix "otx_lookup_domain" pipeline function (#83)
644a98c 
Fixes Graylog2/graylog2-server#4489
@ghost ghost removed the in progress label Jan 18, 2018
joschi pushed a commit to Graylog2/graylog-plugin-threatintel that referenced this issue Jan 18, 2018
@bernd Jochen Schalanda
Fix "otx_lookup_domain" pipeline function (#83)
Unverified
No user is associated with the committer email.
Learn about signing commits
96e8283 
Fixes Graylog2/graylog2-server#4489

(cherry picked from commit 644a98c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bernd bernd

Labels
bug
Projects
None yet
Milestone
2.4.1
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@bernd @mudrunkar